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Abstract. The paper study counter-dependent pseudorandom generators; 
the latter are generators such that their state transition function (and out- 
put function) is being modified dynamically while working: For such a gen- 
erator the recurrence sequence of states satisfies a congruence Xi^i = fi(xi) 
(mod 2"), while its output sequence is of the form Zi = Fi(ui). The paper in- 
troduces techniques and constructions that enable one to compose generators 
that output uniformly distributed sequences of a maximum period length and 
with high linear and 2-adic spans. The corresponding stream chipher is prov- 
ably strong against a known plaintext attack (up to a plausible conjecture). 
Both state transition function and output function could be key-dependent, 
so the only information available to a cryptanalyst is that these functions be- 
long to some (exponentially large) class. These functions are compositions of 
standard machine instructions (such as addition, multiplication, bitwise logi- 
cal operations, etc.) The compositions should satisfy rather loose conditions; 
so the corresponding generators are flexible enough and could be easily imple- 
mented as computer programs. 



1. Introduction 

The study of ergodic, measure-preserving and equiprobable functions on the 
space Zp of p-adic integers in [(i, IG, 7, 11] was mainly motivated by possible appli- 
cations to pseudorandom number generation for cryptography and simulation. In 
the present paper we consider generators based on these functions, prove that the 
produced sequences have some (properly defined below) 'features of randomness', 
and calculate exact values of certain (crucial for cryptographic security) parameters 
of these generators. Namely, we characterize all possible output sequences in the 
class of all sequences, calculate exact lengths of their periods, distribution of over- 
lapping and non-overlapping fc-tuples, linear complexity, and p-adic span. Also, we 
demonstrate that with the use of these functions it is possible to construct a stream 
cipher such that to recover its key is an infcasible problem (up to some plausible 
conjectures). 

In fact, the paper introduces certain techniques and constructions that enable one 
to design stream ciphers with both state transition and output functions depend- 
ing on key; yet independently of key choice the corresponding generator always 
provides predefined values of output sequence parameters, which arc mentioned 
above. These functions are (key-dependent) compositions of (standard) machine 
instructions: arithmetic ones, such as addition and multiplication (exponentiation 
and raising to negative powers as well), logical ones, such as XOR, OR, and, neg, etc., 
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and others (e.g., shifts, maskmg). Thus, generators of this kind admit quite natural 
implementation as a computer program. Such generators are rather flexible: To 
obtain due performance a programmer could vary length of the composition and 
choice of machine instructions without affecting the above mentioned probabilistic 
and cryptographic characteristics. 

Further, focusing on these ideas we introduce counter-dependent generators; the 
latter are generators such that their state transition function (and output function) 
is being modified dynamically while working. To be more exact, for these generators 
the recurrence sequence of states satisfies a congruence Xi+i = fi{xi) (mod 2"), 
while their output sequence is of the form Zi = Fi[ui). Note that both state 
transition function fi and output function Fi depend on the number z of a step; yet 
newertheless the output sequence is purely periodic, its period length is a multiple 
of 2", distribution of fc-tuples, fc < n is uniform, its linear complexity is high, etc. 
Moreover, not only fi and Fi themselves could be keyed, but also the order they 
are used during encryption. ^ 

To give an idea of how these schemes look like, consider the following example 
of a counter-dependent generator modulo 2". Take arbitrary to = 3 (mod 4), then 
take TO arbitrary compositions fo(a;), . . . , Vm-i{x) of the above mentioned machine 
instructions (addition, multiplication, XOR, and, etc.) and constants, then take 
another to arbitrary compositions wo(a;), . . . ,Wm-i{x) of this kind. Arrange two 
arrays V and W writing these Vj{x) and Wj{x) to memory in ai'bitrarj order. Now 
choose arbitrary xq S {0,1,... 2" — 1} as a seed. The generator calculates the 
recurrence sequence of states Xi+i = {i + Xi + 2 ■ {vi{xi + 1) — Vi{xi))) mod 2" and 
outputs the sequence Zi = (l+TT{xi) +2 - [wi^TT (xi + l)) —Wi{TT{xi)))) mod 2", where tt 
is a bit order reversing permutation, which reads an n-bit number z G {0, 1, . . . , 2" — 
1} in a reverse bit order; e.g., 7r(0) = 0,7r(l) = 2"-\7r(2) = 2"-2^7r(3) = 2""^ + 
2"~^, etc. Then the sequence {xi} is a purely periodic sequence of period length 
2"to of n-bit numbers, and each number of {0, 1, . . . , 2" — 1} occurs at the period 
exactly m times. Moreover, if we consider {xi} as a binary sequence of period 
length 2"TOn, then the frequency each fc-tuple (0 < fc < n) occurs in the sequence 
is exactly The output sequence {zi} is also purely periodic of period length 
2"to, and each number of {0, 1, . . . , 2" — 1} occurs at the period exactly to times 
either. Moreover, every binary sequence obtained by reading each s^^ bit Ss{zi) 
(0 < s < n — 1) of the output sequence is purely periodic; its period length is a 
multiple of 2", hence its linear complexity (as well as the one of the whole sequence 
{zi}) exceeds 2"~^. 

In fact, for such stream encryption schemes the only information available to a 
cryptanalist is that both the output and the state transition functions belong to a 



The notion of a counter-dependent generator was originally introduced in [I >]. However, 
in our paper we consider this notion in a broader sense: In our counter-dependent generators 
not only the state transition function, but also the output function depends on i. Moreover, in 
[13] only a particular case of counter-dependent generators is studied; namely, counter-assisted 
generators and their cascaded and two-step modifications. A state transition function of a counter- 
assisted generator is of the form fi{x) = i * h(x), where * is a binary quasigroup operation (in 
particular, group operation, e.g., + or xor), and h{x) does not depend on i. An output function 
of a counter-assisted generator does not depend on i either. The main security notion studied in 
[13] is diversity, which generalizes a concept of long cycles. Note that all our generators achieve 
maximum possible total diversity, which is equal to the order of the output set. 
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certain (exponentially large) class of functions, and practically nothing more. Thus, 
practical attacks to such stream encryption scheme seem to be ineffective. 

Wc must immediately note here that, strictly speaking, all these results give some 
evidence, yet not the proof of cryptographic security of these ciphers. Wc recall, 
however, that today for no stream cipher based on deterministic algorithm there 
exists an unconditional mathematical proof of security. Wc ought to emphasize 
also that the study of stream encryption schemes below should not be considered 
as an exaustive cryptographic analysis. The latter one implies a study of attacks 
against a particular scheme, which numerical parameters have exact predefined 
values. Loosely speaking, further results could be considered as a 'toolkit' for a 
stream cipher designer, but not as 'make- it-yourself kit': The latter implies detailed 
'assemble instructions'; following them guarantees an adequate quality of the whole 
thing. No such instructions are given in the present paper, only some ideas and 
hints. 

The paper is organized as follows: 

• In Section 2 wc introduce some basic notions, consider standard machine 
instructions as continous 2-adic mappings, describe their properties and 
prove that under certain very loose conditions the output sequence will be 
uniformly distributed. 

• In Section 3 we state a number of results that enable one to construct 
permutations with a single cycle and equiprobable functions out of standard 
machine instructions. Moreover, as examples of how these techniques work 
we reprove some of known results in this well as establish new ones. 

• In Section 4 we outline several ways of combining functions described in Sec- 
tion 3 in automaton that generates uniformly distributed sequence. There 
we introduce a new construction (called wreath product of automata, by 
analogy with a corresponding group theory construction) that enables one 
to build counter-dependent generators with uniformly distributed output 
sequences of a maximum period length. 

• In Section 5 we study complexity and distribution of output sequences of au- 
tomata introduced in Section 4: Linear and 2-adic spans of these sequences, 
their structure, distribution of /c-tuplcs in them, etc. In particular, wc prove 
that distribution of (overlapping) fc-tuples is strictly uniform; namely, that 
these output sequences have a property that could be called a generalized 
De Bruijn: Being considered as binary sequences, they are purely periodic, 
their period lengths are multiples of 2", and each fc-tuplc (fc < n) occurs 
at the period the same number of times. From here wc deduce that a large 
class of these sequences satisfy Knuth's criterion Ql ^ of randomness. 

• In Section 6 we demonstrate how to construct a stream cipher with in- 
tractable key recovery problem conjecturing that a set of k multivariate 
Boolean polynomials define a one-way function (it is known that to de- 
termine whether a system of k Boolean polynomials in n variables has a 
common zero is an NP-completc problem '^). 



^See [2, Section 3.5, Definition Ql] 

^See e.g. [26, Appendix A, Section A7.2, Problem ANT-9] 
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2. Preliminaries 

Basically, a generator we consider in the paper is a finite automaton 21 ~ 
{N, M, /, F, uq) with a finite state set N, state transition function f : N ^ N, 
finite output alphabet M, output function F : N —i- M and an initial state (seed) 
Mo G N. Thus, this generator produces a sequence 

S = {FK), Fifiuo)), Fif'^-'^ {uo)), . . . , (mo)), . . .} 

over the set M, where 

f'^'\uo)^f{_^uo)...) (j = l,2,...); f^'\uo)^uo. 

j times 

Automata of the form 21 will be considered either as pseudorandom generators 
per sc, or as components of more complicated pseudorandom generators, which are 
introduced in Section 4; the latter produce pseudorandom sequences {zq, zi, Z2, ■ ■ ■} 
over M according to the rule 

Zq = Fo(uo),ui = /o(mo); ---Zi^ Fj(mj),Mj+i = fi{ui); . . . 

That is, at the {i + 1)'^ step the automaton 21; ~ {N, M, fi, Fi, Ui) is applied to the 
state Ui € N , producing a new state Ui+i = fi{ui) G N, and outputting a symbol 
z, = F,{ui) e M. 

Quite often in the paper we assume that N = I„(p) = {0, 1, ... ,p" — 1}, AI = 
Irnip), m < n, where p is (usually a prime) positive rational integer greater than 
1. Moreover, mainly we are focused on the case p — 2 as the most convenient for 
computer implementations, and use a shorter notation I„ instead of In (2). As a 
rule, further we formulate results mainly for this case, making brief remarks for 
those of them that remain true for arbitrary p. 

Now let n = km > 1 (may be, fc = 1) be a positive rational integer. Let the state 
set A'' of the above mentioned automaton 21 be I„ = {0, 1, . . . , 2" — 1}. Further we 
will identify the set I„ either with the set of all elements of the residue class ring 
Z/2" of integers modulo 2", or with a set W„(2) of all n-bit words in the alphabet 
I = Ii = {0, 1}, or with a set of all elements of a direct product 

(Z/2"')^^) ^ 2/2'" X • • • X Z/2™ 

k times 

of k copies of the residue class ring Z/2™, or with a set Wfc(2™) of all words 
of length k in the alphabet In other words, if necessary, we may treat a 

number i G {0, 1, . . . , 2" — 1} either as an n-bit word, or as a A:-tuple of numbers of 
{0, 1, . . . , 2™ — 1}, or as a fc-tuple of m-bit blocks. 

To be more exact, let (S™(i) G I™ be the j'^ digit of a number i in its base-2™ 
expansion: that is, if i = io + ii • 2™ + 12 • (2™)^ + . . ., where ij G Im, j = 0, 1, 2, . . ., 
then, by definition, SJ^(i) = ij. (For to = 1 we usually omit the superscript, when 
this does not lead to misunderstanding). With these notations, if i G !„, then 
the word Wk{i) G Wfc(2™) is a concatent (5™(z) . . . (5j."_j(i), and a corresponding 
element rk{i) G (Z/2™)('=) is rfe(i) = {dl^{i), . . . ,Sf^^{^)). Thus, for each i G I„ 
and for arbitrary mappings F : (Z/2'")('=) ^ Z/2™ and G : W„(2) ^ Wa;(2™) the 
expressions F{i) and G{i) are correctly defined: namely, F(i) stands for F{rk(i)), 
G{i) stands for G{wk{i))- In view of the above mentioned bijections between Im and 
Z/2™, both F{i) and G{i) may be considered as elements of Im and I„, respectively. 
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We will need a particular mapping tt* : W,5(2*) Ws(2*), an order reversing 
permutation: 7r*(Moui . . . Us-i) = Us-iUs-2 ■ ■ ■ uq, where mq, . . . , Ug-i G It. In view 
of the above conventions, for each i € 1(2") the following expressions are well 
defined: 7r™(i), 7r^(i) G I„ and 7r;^(<5™(i)) S Im- In other words, 7r^(i) reads base-2 
expansion of i in reverse order, while 7r™(i) reads base-2™ expansion of i in reverse 
order; e.g. Trl{7) = 14, 7r|(7) = 13. Often, when it is clear within a context, we 
omit a superscript (sometimes together with a subscript) in tt™. 

Note that functions tt™ ,Tr^,5™, being compositions of arithmetic and logical 

operators, are easily programmable: so S"^{i) = ''^'^'^^^^^^^ — (in particular 

Sj{i) = ) ) is a composition of and (bitwise logical multiplication, bitwise 

conjunction) and left and right shifts, 7r^(«) = 5l^_l{i)+Sl^_2{^)■2 + ■ ■ •-|-5g(i) •2""-'^. 
Note that for certain m, n both S™{i) and 7r^(«) are just a machine instruction (e.g., 
'read j"^ memory cell', the latter assumed to be m-bit) or with use of writing to 
and reading from memory. For instance, byte order reversing permutation tt^ could 
be implemented with the use of stack writing-reading, whereas TTg could be stored 
in memory as one-dimensional byte array (the i*'^ byte is 7rg(i)); then tt^ and TTg 
could be combined in an easy program to obtain ir^^ . Also we notice that in fact one 
uses the mapping tt^ in simulation tasks when he converts integer output sq, si, . . . 
{si e {0, 1, . . . , 2" — 1}) of a pseudorandom number generator into real numbers 
1^7 . . .} of miit interval. 

It worth mentioning here that, according to the above settled conventions, we can 
consider bitwise logical operators (such as XOR, and, etc.) as functions defined on 
the set No ~ {0, 1,2,.. .}: We merely represent variables in their base-2 expansions 
(e.g., 1xor3 = 2, 1 andS = 1). An m-bit right shift is just a multiplication by 2™, 
whereas an m-bit left shift is integer division by 2™, i.e., [2^^], with [aj being the 
greatest rational integer that does not exceed a. Note that throughout the paper we 
represent integers i in reverse bit order — less significant bits left, according to their 
occurrences in 2-adic canonical representation of i = 6o{i) + 6i{i) ■ 2 + 62(1) ■ 4: + . . .; 
so 0011 is 12, and not 3. 

Functions tt* together with arithmetic operations (addition and multiplication) 
as well as bitwise logical operations (such as xOR, and) and other "machine" ones 
(such as left and right shifts) are "building blocks" of pseudorandom generators 
studied below, so for reader's convenience we list the corresponding operators here, 
supplying them by definitions and comments, if necessary. 

Bitwise logical operators are defined by the following congruences, which must 
hold for all m, w G No (or, equivalently, for all u,v & Z2) and for all j = 0, 1, 2, 



XOR, or , a bitwise 'exclusive or' operator: Sj{uxORv) = 
Sj{u)+Sj{v) (mod 2); 

AND, or A , a bitwise 'and' operator, bitwise conjunction: Sj(uANDv) = 

(2 1) ^^^""^ ' ^^^'"^ (mod 2); 

OR, or V , a bitwise 'or' operator, bitwise disjunction: Sj{u ORv) = 

Sj {u) + Sj {v) + 6 J (u) • 6 J {v) (mod 2) ; 

NEG, or ^ , a bitwise negation: Sj{NEG{u)) = 

Sjiu) + l (mod 2). 
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The other bitwise logical operators (originating from e.g. implication, etc.) could 
be defined by the analogy. 

Note that all these operators are defined on the set No of non-negative rational 
integers. Moreover, they are defined on the set Z2 of all 2-adic integers (see [0, l(i]). 
The latter ones within the context of this paper could be thought of as countable 
infinite binary sequences with members indexed by 0, 1, 2, . . . . Sequences with only 
finite number of 1 's correspond to non- negative rational integers in their base-2 ex- 
pansions, sequences with only finite number of O's correspond to negative rational 
integers, while eventually periodic sequences correspond to rational numbers repre- 
sented by irreducible fractions with odd denominators: for instance, 3 = 11000 . . ., 
-3 = 10111 . . ., 3 = 11010101 . . ., -i = 101010 .... So 5j{u) for w G Z2 is merely 
the J*'' member of the corresponding sequence. 

Arithmetic operations (addition and multiplication) with these sequences could 
be defined via standard algorithms of addition and multiplication of natural num- 
bers represented in base-2 expansions: Each member of a sequence, which corre- 
sponds to a sum (respectively, to product) of two given sequences, will be calculated 
by these algorithms within a finite number of steps. 

Thus, Z2 is a commutative ring with respect to the so defined addition and 
multiplication. It is a metric space with respect to the distance d2{u,v) defined by 
the following rule: d2{u,v) ~ \\u — v\\2 ~ where n is the smallest non-negative 
rational integer such that (5„(m) 7^ (5„(w), and d2{u,v) = if no such n exists (i.e., 
\i u = v). For instance (i2(3, i) ~ |. With the use of this distance it is possible to 
define convergent sequences, limits, continuous functions and derivatives in Z2. 

For instance, with respect to the so defined distance, the folowing sequence tends 
to -1, 



bitwise logical operators (such as XOR, and) define continuous functions in two vari- 
ables, the function f{x) = xxORa is differentiable everywhere on Z2 for every 
rational integer a: Its derivative is —1 for negative a, and 1 in the opposite case 
(see 3.22 for other examples of this kind and more detailed calculations). 

Reduction modulo 2" of a 2-adic integer w, i.e., setting all members of the corre- 
sponding sequence with indexes greater than n — 1 to zero (that is, taking the first 
n digits in the representation of v) is just an approximation of a 2-adic integer v 
by a rational integer with accuracy ^: This approximation is an n-digit positive 
rational integer wand(2" — 1); the latter will be denoted also as v mod 2". For 
formal introduction to p-adic analysis, precise notions and results see e.g. [3] or [4]. 

Arithmetic and bitwise logical operations are not independent: Some of them 
could be expressed via the others. For instance, for all it, v G Z2 



1, 3, 7, 15, 31,..., 2" -1,... 




1, 



(2.0.2) 



neg(w) = iiXOR(— 1); 
neg(w) + u = —1; 
uxORv = u + u — 2(u ANDv); 
uORv = u + V — (mandu); 
uORv = (uxORv) + (umov). 
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Proofs of these identities (2.0.2) are just an exercise: For example, if q;,/3 G {0, 1} 
then a(B(3~a + f3~ 2q;/3 and aV (3 — a + (3 — a(3. Hence: 

uxoRv = ^1\5i{u) ® 5i{v)) = 2*((5,;(u) + 5i{v) - 25i{u)5i{v)) = 

oo oo oo 

^ 2\5^{u)) + ^ 2'(<5,(f )) ~ 2 • ^ 2\5,{u)5,{v)) = u + v- 2{umDv). 

2=0 i=0 1=0 

Proofs of the rest identities could be made by analogy and thus are omitted. Right 
shift (towards more significant digits) , as well as masking and reduction modulo 2™ 
could be derived from the above operations: An m-step shift of u is 2'"m; masking 
of u is uandM, where M is an integer, which base-2 expansion is a mask (i.e., 
a string of O's and I's); reduction modulo 2"*, i.e., taking the least non-negative 
residue of u modulo 2™ is u mod 2'" = u and(2™ — 1). 

A common feature the above mentioned arithmetic, bitwise logical and mashine 
operations share is that they all, with the only exception of shifts towards less sig- 
nificant bits, are compatible, i.e. lj{u,v) = w(ui,wi) (mod 2"^) whenever both con- 
gruences u = ui (mod 2'') and v = vi (mod 2'') hold simultaneously. The notion 
of a compatible mapping could be naturally generalized to mappings (Z/p')*^') — > 
(Z/p')^'^ and (Zp)(*) ^ (Zp)(''); compatible mappings of the latter kind could be 
also considered as those satisfying Lipschitz condition with coefficient 1 (with re- 
spect to p-adic distance) , see [f G] . Obviously, a composition of compatible mappings 
is a compatible mapping. We list now some important examples of compatible oper- 
ators (Zp)(*) (Zp )(''), p prime (see [16]). Part of them originates from arithmetic 
operations: 

multiplication, • : (m, v) i—*- uv] 

addition, -f : (u, w) i— > m + w; 

subtraction, — : {u,v) y-^ u — v; 

(2.0.3) exponentiation, 1p: {u,v) i-^ u 1p v ^ {1 + puy ; in particular, 

raising to negative powers, u "fp (— r) = (1 + pu)^^ , r e N; and 

u 

division, /„ : u/pV = u ■ (v !„ (—1)) = • 

1 + pv 

The other part originates from digitwise logical operations of p- valued logic: 
digitwise multiplication u QpV : 5j{u 0p v) = Sj{u)Sj{v) (mod p); 
(2.0.4) digitwise addition u ©p D : (Sj(u ©p -y) = (5j(u) + (5j(w) (mod p); 

digitwise subtraction uQpV : 5j{u ©p v) = Sj{u) — 5j{v) (mod p). 

Here 5j{z) {j = 0, 1, 2, . . .) stands for the j"^ digit of z in its base-p expansion. 

More compatible mappings could be derived from the above mentioned ones. 
For instance, a reduction modulo p", n g N, is u modp" = u Qp ^pZi i an Z-step 
shift towards more significant digits is just a multiplication by p', etc. Obviously, 

U Q2 V = U AND V , U ©2 V = UXOR V. 

In case p = 2 compatible mappings could be characterized in terms of Boolean 
functions. Namely, each mapping T: Z/2" Z/2" could be considered as an 
ensemble of n Boolean functions T^{xo^ ■ • ■ j Xn-i), i — 0,1,2, ... , n— 1, in n Boolean 
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variables xo, ■ • ■ , Xn-i by assuming Xt = (5, (it), (xo, ■ • ■ , Xn-i) = 5i{T{u)) for u 
running from to 2" — 1. The following proposition holds. 

2.1. Proposition. ([ ^ Proposition 3.9]) ^ mappingT: Z/2" ^ Z/2" {accordingly, 
a mapping T: TLi Z2) is compatible iff each Boolean function Tf [Xf^iXi^ ■ • •) ^ 
5i{T{u)), i = 0, 1, 2, . . ., does not depend on variables Xj ~ ^ji'^J-) for j > i. 

Note. Mappings satisfying conditions of the proposition arc also known as triangle 
mappings. The proposition after proper restatement (in terms of functions of p- 
valucd logic) also holds for odd prime p. For multivariate mappings the theorem 2.1 
holds either: a mapping T ^ (ti, ...,<,.): (^2)^'') {22)^"'^ is compatible iff each 
Boolean function (xi,o, Xi,i' • ■ • 7Xr,o,Xr,ii ■••)== k{tk{u, . . .,Ur)) {i = 0, 1,2, . . ., 
A: = 0, 1, . . . , s) does not depend on variables xt,j = Sj{uf) for j > i {£ — 1,2, . . . ,r). 

Now, given a compatible mapping T: Z2 Z2, one can define an induced 
mapping T mod 2": Z/2" Z/2" by assuming (T mod 2")(z) = T{z) mod 2" = 
(T(z)) and(2" — 1) for z — 0, 1, 2, . . . , 2" — 1. The induced mapping is obviuosly 
a compatible mapping of the ring Z/2" into itself. For odd prime p, as well as 
for multivariate case T: (Zp)('') ^ (Zp)(*) an induced mapping T mod p" could be 
defined by the analogy. 

2.2. Definition. (See [16]). We call a compatible mapping T: Zp Zp bijec- 
tive modulo p" iff the induced mapping T mod p" is a permutation on Z/p"; we 
call T transitive modulo p" , iff T mod p" is a permutation with a single cycle. 
We say that T is measure-preserving (respectively, ergodic), iff T is bijective (re- 
spectively, transitive) modulo p" for all n G N. We call a compatible mapping 
T: (Zp)*-*^ — > (Zp)*-*^ equiprobable modulo p" iff the induced mapping Tmodp" 
maps (Z/p")*^"^ onto (Z/p")^*\ and each element of (Z/p")^*) has the same number 
of preimages in (Z/p")*^*^. A mapping T: (I'pY^'^ (^p)''*'' is called equiprobable iff 
it is equiprobable modulo p" for all n E N. 

Note. The terms measure-preserving, ergodic and equiprobable originate from the 
theory of dynamical systems. Namely, the compatible mapping T: Zp — > Zp de- 
fines a dynamics on the measurable space Zp with a probabilistic measure that is 
normalized Haar measure. The mapping T is, e.g., ergodic with respect to this 
measure (in the sence of the theory of dynamical systems) iff it satisfies 2.2, see [16] 
for details. 

Both transitive modulo p" and equiprobable modulo p" mappings will be used 
as building blocks of pseudorandom generators to provide both large period length 
and uniform distribution of output sequences. The following obvious proposition 
holds. 

2.3. Proposition. If the state transition function f of the automaton'^ is transitive 
on the state set N, i.e., if f is a permutation with a single cycle of length \N\, 
if, further, \N\ is a multiple of \M\, and if the output function F : N M is 
equiprobable (i.e., \F~^{s)\ = ]_F'~^(i)] for all s,t G M), then the output sequence 
& of the automaton 21 is purely periodic with period length \N\ (i.e., maximum 
possible) , and each element of M occurs at the period the same number of times: 

exactly. That is, the output sequence 6 is uniformly distributed. 

2.4. Definition. Further in the paper we call a sequence {si g M} over a finite 
set M strictly uniformly distributed iff it is purely periodic with period length t, 
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and with every element of M occuring at the period the same number of times, 
i.e., exactly jjj^. A sequence {si e Zp} of p-adic integers is called strictly uniformly 

distributed modulo iff a sequence {si vaodp^} of residues modulo is strictly 
uniformly distributed over a residue ring 1i/p^. Also, we say that a sequence is 
purely periodic of period length exactly t iff it has no periods of lengths smaller 
than t. In this case t is called the exact period length of the sequence.^ 

Note. A sequence {si € Zpi i = 0,1,2,...} of p-adic integers is uniformly dis- 
tributed (with respect to a normalized Haar measure /i on Zp) ^ iff it is uniformly 
distributed modulo p'' for all = 1, 2, . . .; that is, for every a G Z/p'' relative num- 
bers of occurences of a in the initial segment of length £ in the sequence {si mod p'^} 
of residues modulo p'^ are asymptotically equal, i.e., lim^^oo ^^^2^ = J^^ where 
A{a,£) = \{si = a (modp'^): i < ^}|(see [1] for details). So strictly uniformly 
distributed sequences are uniformly distributed in the common sence of theory of 
distributions of sequences. 

Thus, putting N = Z/2",Af = Z/2",n = km, and taking as / and F respec- 
tively, f = f = f mod 2" and F = F = F mod 2™ , where the function / ; Z2 — > Z2 
is compatible and ergodic, and the function F : {'£2)'^^^ Z2 is compatible and 
equiprobable, we obtain an automaton that generates a uniformly distributed pe- 
riodic sequence, and the length of a period of this sequence is 2". That is, each 
element of Z/2'" occurs at the period the same number of times (namely, 2"~"'). 
Obviously, the conclusion holds if one takes as F an arbitrary composition of the 
function F = F mod 2™ and an equiprobable function: for instance, one may put 
F{i) = F{TTn{i)) or F{i) = S™{i), etc. Also, the assertion is true for odd prime p ei- 
ther. Since all the automata considered further in the paper are of this kind, their 
output sequences (considered as sequences over Z/p™) are uniformly distributed 
purely periodic sequences, and the length of their periods is p", independently of 
choise both of the function / and of the function F. So, the proposition 2.3 makes 
it possible to vary both the state transition and the output functions (for instance, 
to make them key- dependent) without affecting uniform distribution of the output 
sequence. 

Of course, to make all this practicable, one needs to choose these functions / and 
F from suitably large classes of ergodic and equiprobable functions. In other words, 
one has to obtain certain tools to produce a number of various measure preserving, 
ergodic, and equprobable mappings out of elementary compatible functions like 
(2.0.1) and (2.0.3). We consider these tools in the next section, as well as give some 
estimates of how the produced classes are big. 

3. Tools 

In this section we introduce various techniques that enable one to construct 
measure preserving and/or ergodic mappings, as well as to verify whether a given 
mapping is measure preserving or, respectively, ergodic. We are mainly focused at 
the class of compatible mappings. 



An exact period length is also called the smallest period of a sequence. We do not use this 
term to avoid misunderstanding, since we consider a period as a repeating part of a sequence, 
^i.e., ix{a+p^Zp) = p"* for all a G Zp and all A: = 0, 1, 2. . . . 
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Using interpolation series and polynomials. The general characterization of 
compatible ergodic functions is given by the following 

3.1. Theorem. ([G],[7]) A function /: Z2 ^ Z2 is compatible iff it could be repre- 
sented as 



2 



i=l 

The function f is compatible and measure-preserving iff it could be represented as 



/(x) = CO + .T + ^ c, 2 Li°s^ 'J +1 • . j (x e Z2) ; 

i=i 

The function f is compatible and ergodic iff it could be represented as 

00 ^ s 

fix) ^l + x + Y, c.2Li°g^('+i)J+i ^ 22), 



where cq, Ci, C2 . . . G Z2. 
Here, as usual. 



■ + for z = 1,2, 



1, for i = 0, 

and [aj is the integral part of a, i.e., the largest rational integer not exceeding a. 

Note. For odd prime p an analogon of the statement of theorem 3.1 provides only 
sufficient conditions for ergodicity (resp., measure preservation) of /: namely, if 
(co,p) = 1, i.e., if c is a unit (=invertible element) of Zp, then the function fix) = 
c+x+^^j^ Cip'-i°gp(*+i)J+i (f^_^ defines a compatible and ergodic mapping of Zp onto 
itself, and the function fix) = cq + c • a; + X^i^i CiP^'ogp *J+i defines a compatible 
and measure preserving mapping of Zp onto itself see [IG, Theorem 2.4]. 

Thus, in view of theorem 3.1 one can choose a state transition function to be a 
polynomial with rational (not necessarily integer) key-dependent coefficients setting 
Ci = for all but finite number of i. Note that to determine whether a given 
polynomial / with rational (and not necessarily integer) coefficients is integer valued 
(that is, maps Zp into itself), compatible and ergodic, it is sufficient to determine 
whether it induces a cycle on 0(deg/) integral points. To be more exact, the 
following proposition holds. 

3.2. Proposition, (sec [1(1, Proposition 4.2 (4.7 in preprint)]) A polynomial fix) G 
Qp[a;] is integer valued, compatible, and ergodic (resp., measure preserving) iff 

z^/(z)modpLi°gp(dcg/)J+3^ 

where z runs through 0, 1, . . . ^pLiogp(dog/)J+3_2^ jg compatible and transitive iresp., 
bijective) mapping of the residue rm(; Z/pLi°gp('i<=g /)J+3 onto itself. 

Despite it is not very essential for further considerations, we note, however, that 
the series in the statement of 3.1 and of the note thereafter are uniformly convergent 
with respect to p-adic distance. Thus the mapping / : Zp ^ Zp is well-defined and 
continuous with respect to p-adic distance, see [3, Chapter 9]. 

Theorem 3.1 enables one to use exponentiation in design of generators that are 
transitive modulo 2" for all n = 1, 2, 3, . . . (on exponential generators see e.g. [17]). 
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3.3. Example. For any odd a ~ l + 2m a function f{x) = ax + a^ defines a transitive 
modulo 2" generator Xi+i = f[xi) mod 2". 

Indeed, in view of 3.1 the function / defines a compatible and ergodic mapping 
of Z2 onto Z2 since /(x) = (1 + 2m)x + (1 + 2m)^ = x + 2mx + J^Zo "^'2*(^) = 
l + x + 4,m{f) +J2Z2^''^'{1) andi> [log2(i + l)J +1 for alH = 2, 3, 4, . . .. ' 

Such a generator could be of practical value since it uses not more than n + 1 
multiplications modulo 2" of n-bit numbers; of course, one should use calls to the 
table a^^ mod 2", j = 1, 2, 3, . . . , n — 1. The latter table must be precomputed, 
corresponding calculations involve n—1 multiplications modulo 2". Obviously, one 
can use m as a long-term key, with the initial state xq being a short-term key, i.e., 
one changes m from time to time, but uses new xq for each new message. Obviously, 
without a properly choosen output function such a generator is not secure. The 
choice of output function in more details is discussed further in the paper. 

Note. A similar argument shows that for every prime p and every a = 1 (mod p) 
the function f{x) — ax + defines a compatible and ergodic mapping of Zp onto 
itself. 

For polynomials with (rational or p-adic) integer coefficients theorem 3.1 may be 
restated in the following form. 

3.4. Proposition. (See [(i. Corollary 4.11], [7, Corollary 4.7]) Represent a polyno- 
mial f{x) G Z2[a:] in a basis of descending factorial powers 

X- =1, x- = X, X- = x{x — 1), ... , X- = x{x — 1) ■ ■ ■ {x — i + 1), . . . , 

i.e., let 

d 

f{x) =Y^c,-x^ 

1=0 

for Co, ci, . . . , Crf G Z2. Then the polynomial f induces an ergodic (and, obviously, 
a compatible) mapping 0/ Z2 onto itself iff its coefficients co,ci,C2,C3 satisfy the 
following congruences: 

Co = 1 (mod 2), ciEEl(mod4), C2 = 0(mod2), C3 = 0(mod4). 

The polynomial f induces a measure preserving mapping iff 

ci = 1 (mod 2), C2 = (mod 2), C3 = (mod 2). 

Thus, to provide ergodicity of the polynomial mapping / it is necessary and 
sufficient to hold fixed 6 bits only, while the other bits of coefficients of / may vary 
(e.g., may be key-dependent). This guarantees transitivity of the state transition 
function z ^ f{z) mod 2" for each n, and hence, uniform distribution of the output 
sequence. 

Proposition 3.4 implies that the polynomial f{x) G Z[a;] is ergodic (resp., measure 
preserving) iff it is transitive modulo 8 (resp., iff it is bijective modulo 4). A 
corresponding assertion holds in general case, for arbitrary prime p. 

3.5. Theorem. (See [9], [IG]) A polynomial f{x) G ^p[x] induces an ergodic map- 
ping of Zp onto itself iff it is transitive modulo p^ for p ^ 2, 3, or modulo p^ , for 
p = 2,3. The polynomial f{x) G Zp[a;] induces a measure preserving mapping ofLp 
onto itself iff it is bijective modulo p^ . 
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3.6. Example. The mapping x i— > f{x) = x + 2x'^ (mod 2'^^) (which is used in RC6, 
see [18]) is bijective, since it is bijective modulo 4: /(O) = (mod 4), /(I) = 3 
(mod 4), /(2) = 2 (mod 4), /(3) = 1 (mod 4). Thus, the mapping x ^ f \x) = 
X + 2x^ (mod 2") is bijective for aU n = 1,2,.... 

Hence, with the use of the theorem 3.5 it is possible to obtain transitive modulo 
q> \ mappings for arbitrary natural q: one can just take /(z) = (l + z + qg(z)) mod 
q, where g{x) G Z[a;] is an arbitrary polynomial, and q is a product of p"^^ for all 
prime factors p of q, where S2 = S3 = 3, and Sp = 2 for p ^ 2, 3. Again, the 
polynomial g{x) may be choosen, roughly speaking, 'more or less at random', i.e., 
it may be key-dependent, but the output sequence will be uniformly distributed for 
any choice of g{x). This assertion may be generalized cither. 

3.7. Proposition. ([IG, Lemma 4.4 and Proposition 4.5; resp., Lemma 4.11 and 
Proposition 4.12 in the preprint]) Let p be a prime, and let g{x) be an arbitrary 
composition of mappings listed in (2.0.3). Then the mapping z 1-^ 1 + z + p'^g{z) 
{z S Zp) is ergodic. 

In fact, both propositions 3.4, 3.7 and theorem 3.5 are particular cases of the 
following general 

3.8. Theorem. ([IG, Theorem 4.2, or 4.9 in the preprint]) Let Bp be a class of all 
functions defined by series of a form f{x) = X)i^o ' where cq, ci, . . . are p-adic 
integers, and x- (i = 0, 1, 2, . . .) are descending factorial powers (see 3.4). Then the 
function f E Bp preserves measure iff it is bijective modulo p^ ; f is ergodic iff it is 
transitive modulo p^ {for p 7^ 2, 3), or modulo p'^ {for p G {2, 3}). 

Note. As it was shown in [l(i] , the class Bp contains all polynomial functions over Zp, 
as well as analytic (e.g., rational, entire) functions that are convergent everywhere 
on Zp. In fact, every mapping that is a composition of arithmetic operators (2.0.3) 
only belong to Bp] thus, every such mapping modulo could be induced by a 
polynomial with rational integer coefficients (see the end of Section 4 in [IG]). For 
instance, the mapping x (3a;-|-3^) mod 2" (which is transitive modulo 2", see 3.3) 
could be induced by a polynomial 1 + a; + 4(^) + Er=2^ 2* (^) = 1 + 5a; + J2"=2 IT ' 
— just note that Ci = are 2-adic integers since the exponent of maximal power 
of 2 that is a factor of i\ is exactly i — wt2i, where wt2 i is a number of I's in 
the base-2 expansion of i (see e.g. [4, Chapter 1, Section 2, Exercise 12]); thus 
Ihh = 2^**2* < 1, i.e. Cj G Z2 and so c, mod 2" e Z. 

Theorem 3.8 implies that, for instance, the state transition function f{z) = 
{1 + z + (^(g)^(l + ({q)u{z)y^^^) mod q is transitive modulo q for each natural 
q > 1 and arbitrary polynomials u{x),v{x) € Z[x], where C{q) is a product of all 
prime factors of q. So the one can choose as a state transition function not only 
polynomial functions, but also rational functions, as well as analytic ones. It should 
be mentioned, however, that this is merely a form the function is represented (which 
could be suitable for some cases and unsuitable for the others), yet, for a given q, 
all the functions of this type may also be represented as polynomials over Z (see 
[IG, Proposition 4.4; resp.. Proposition 4.10 in the preprint]). For instance, certain 
generators of inversive kind (i.e., those using taking the inverse modulo 2") could 
be considered in such manner. 
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3.9. Example. For f{x) = — x a, generator Xi+i = f{xi) mod 2" is transitve. 

Indeed, the function /(.t) = (-l + 2a;-4a;2 + 8a;^ )-x= -1 + x - Ax^ + ^{- ■ ■) 

is analytic and defined everywhere on Z2; thus f & Bp. Now the conclusion follows 
in view of 3.8 since by direct calculations it coud be easily verified that the function 
f{x) = — 1 + a; — (mod 8) is transitive modulo 8. Note that modulo 2" the 
mapping x > f{x) mod 2" could be induced by a polynomial — 1 + .t — 4.t^ + 82''^ + 
• • • + 

Combining operators. The class of all transitive modulo q mappings, induced 
by polynomials with rational integer coefficients, is rather wide: For instance, for 
5 = 2" it contains 2*-^^" ^ mappings (for exact value see [!), Proposition 15], or 3.17 
below). However, it could be widened significantly (up to the class of order 2^ -"-i 
in case q = 2"), by admitting also operators (2.0.4) in the composition. It turnes 
out that there is an easy way to construct a measure preserving or ergodic mapping 
out of an arbitrary compatible mapping, i.e., out of an arbitrary composition of 
both arithmetic (2.0.3) and logical (2.0.4) operators. 

3.10. Proposition. [l(i. Lemma 2.1 and Theorem 2.5]. Let A be a difference 
operator, i.e., Ag{x) = g{x + 1) — g{x) by the definition. Let, further, p be a 
prime, let c be a coprime with p, gcd(c,p) = 1, and let g: Zp be a compatible 
mapping. Then the mapping z 1— > c + z + pAg{z) [z € Zp) is ergodic, and the 
mapping z 1-^ d + cx + pg{x), preserves measure for arbitrary d. 

Moreover, if p ~ 2, then the converse also holds: Each compatible and ergodic 
[respectively each compatible and measure preserving ) mapping z i— > f{z) [z € Z2) 
could be represented as f{x) = l + x + 2Ag{x) {respectively as f{x) ~ d + x + 2g{x)) 
for suitable d G Z2 and compatible g : Z2 — > Z2 . 

Note. The case p = 2 is the only case the converse of the first assertion of the 
proposition 3.10 holds. 

3.11. Example. Proposition 3.10 immediately implies Theorem 2 of [19]: For any 
composition / of primitive functions, the mapping x 1— *■ x + 2f{x) (mod 2") is 
invertible — just note that a composition of primitive functions is compatible (see 
[19] for the definition of primitive functions). □ 

Proposition 3.10 is maybe the most important tool in design of pseudorandom 
generators such that both their state transition functions and output functions are 
key-dependent. The corresponding schemes are rather flexible: In fact, one may 
use nearly arbitrary composition of arithmetic and logical operators to produce a 
strictly uniformly distributed sequence: Both for g(x) = a;xOR(2a; + 1) and for 

/ ^ xmox^ +x^ORx'^ y+rfl5^ 
5W - l^l + 23 + 4(5 + 6x5)-«xOR-^ j 

a sequence {xi} defined by recurrence relation x^+i — (1 + + 2(g(x,; + 1) — 
g{xi))) mod 2" is strictly uniformly distributed in Z/2" for each n = 1, 2, 3 . . ., i.e., 
the sequence {xi} is purely periodic with period length exactly 2", and eacii element 
of {0, 1, . . . , 2" — 1} occurs at the period exactly once. We will demonstrate further 
that a designer could vary the function 5 in a very wide scope without worsening 
prescribed values of some important indicators of security. In fact, choosing the 
proper operators (2.0.1) and (2.0.3) the designer is restricted only by desirable 
performance, since any compatible ergodic mapping could be produced in this way: 
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3.12. Corollary. Let p ~ 2, and let f be a compatible and ergodic mapping o/ Z2 
onto itself. Then for each n ~ 1,2,... the state transition function f mod 2" could 
be represented as a finite composition of operators (2.0.1) and (2.0.3). 

Proof. In view of proposition 3.10 it is sufficient to prove that for arbitrary com- 
patible g the function g = g mod 2" could be represented as a finite composition of 
operators (2.0.1) and (2.0.3). In view of 2.1, one could represent g as 

9{x) = 7o(xo) + 27i(xo,Xi) H ^ 2""^7„_i(xo, • ■ • ,Xn-i), 

where 7^ ^ Si{g), Xi = <5i(a;), i = 0, 1, . . . , n - 1. Since each 7,(xo, • • ■ , Xi) is a 
Boolean function in Boolean variables xoj • ■ ■ jXij it could be expressed via finite 
number of XORS and ands of these variables xo, ■ ■ ■ iXi- Yet each variable Xj could 
be expressed as Xj = = a;AND(2^), and the conclusion follows. □ 

Using Boolean representation. So, in case p = 2 we have two equivalent de- 
scriptions of the class of all compatible ergodic mappings, namely, theorem 3.1 and 
proposition 3.10. They enable one to express any compatible and transitive modulo 
2" state transition function either as a polynomial of special kind over a field Q 
of rational numbers, or as a special composition of arithmetic and bitwise logical 
operations, (2.0.3) and (2.0.1). Both these representations are suitable for program- 
ming, since they involve only standard machine instructions. However, we need one 
more representation, in a Boolean form (see 2.1). Despite this representation is not 
very convenient for programming, it will be used further for better understanding 
of certain important properties of the considered generators, as well for proving the 
ergodicity of some particular mappings, see e.g. 3.14 below. The following theorem 
is just a restatement of a known result from the theory of Boolean functions, the 
so-called bijectivity/transitivity criterion for triangle Boolean mappings. However, 
the latter belongs to mathematical folklore, and thus it is somewhat difficult to 
attribute it, yet a reader could find a proof in, e.g., [G, Lemma 4.8]. 

3.13. Theorem. A mapping T: Z2 ^ Z2 is compatible and measure preserving iff 
for each z = 0, 1, . . . the Boolean function = Si{T) in Boolean variables XOi ■ • ■ i Xj 
could be represented as Boolean polynomial of the form 

(xo, • ■ • ,xO = + '/'^(Xo, ■ • ■,X»-i), 

where ipf is a Boolean polynomial. The mapping T is compatible and ergodic iff, 
additionaly, the Boolean function ipf is of odd weight, that is, takes value 1 exactly 
at the odd number of points (eq, . . . , £i-i), where Sj € {0, 1} for j = 0, 1, . . . , z — 1. 
The latter takes place if and only if = 1, and the degree of the Boolean polynomial 
ipf for i > 1 is exactly i, that is, ip[ contains a monomial Xo ' ' ' Xi-i- 

3.14. Example. With the use of 3.13 it is possible to give another proof of the main 
result of namely, of Theorem 3: The mapping f(x) = x -\- (x^ V C) over n-bit 
words is invertible if and only if the least significant bit of C is 1. For n> Z it is 
a permutation with a single cycle if and only if both the least significant bit and the 
third least significant bit of C are 1 . 

Proof of theorem 3 of [1 ii]. Recall that for x e Z2 and i = 0, 1, 2, ... we denote 
Xi = 5i{x) g {0, 1}; also we denote Ci = 5i{C). We will calculate 5i{x + {x^ V C)) 
as a Boolean polynomial in xoj XI7 • ■ • and start with the following easy claims: 
• 5q{x^) =xo, 5i{x^) = 0, (52(a;2) = xoXi +Xi, 
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• (5„(x^) = Xn-iXo + ipnixo, ■ ■ ■ ,Xn~2) for all 71 > 3, where ipn is a Boolean 
function in n — 1 Boolean variables xo, ■ • ■ , Xn-2- 

The first of these claims could be easily verified by direct calculations. To prove 
the second one represent x = a;„_i +2"~^s„_i for Xn-i = x mod 2"~^ and calculate 

= {xn-i + 2"-is„_i)2 = xl_^ + 2"s„_ix„_i + 2^^-\3l_^ = xl_^ + 2"x«-iXo 
(mod 2"+^) for 71 > 3 and note that xf^_i depends only on xo, ■ ■ ■ , Xn-2- 

This gives 

(1) So{x'^ V C) = xo + Co + Xoco 

(2) <5i(x2 VC) = ci 

(3) (52 (x^ V C) = xoXi + Xi + C2 + C2X1 + C2X0X1 

(4) 5n{x'^ V C) = Xn-lXO + V'« + Cn + C,iXn-lXO + CnV^n for 71 > 3 

From here it follows that if 71 > 3, then (5„(x^ V C) = A„(xo, ■ • ■ , Xn-i), and 
deg A„ < 71 — 1, since ipn depends only on, may be, xo, ■ • ■ , Xn-2- 

Now successively calculate 7„ = 6n{x + (x^ V C)) for 71 = 0, 1, 2, . . .. We have 
5o{x + {x'^ V C)) = Co + XoCo so necessarily co = 1 since otherwise / is not bijective 
modulo 2. Proceeding further with Co = 1 we obtain (5i(a::+(a:^VC)) = ci+xo + Xij 
since xi is a carry. Then ^2(2; + {x^ V C)) = (cixo + ciXi + XoXi) + (XoXi + Xi + 
C2 + C2X1 + C2X0X1) + X2 = cixo + cixi + xi + C2 + C2X1 + C2X0X1 + X2, here 
ciXo + ciXi + XoXi is a carry. From here in view of 3.13 we immediately have 
C2 = 1 since otherwise / is not transitive modulo 8. Now for 71 > 3 one has 
In = an + A„ + Xn, whcre «„ is a carry, and = Q!„A„ + anXn + A,iXn- But 

if C2 = 1 then degas = dcg(/ii^ + X2M + X27^) = 3, where fi = ciXo + ciXi + XoXi, 
ly = (xoXi + Xi + C2 + C2X1 + C2X0X1) = 0. This implies inductively in view 
of (4) above that degQ;„+i = 71 + 1 and that 7„+i = Xn+i + $„+i(xo, • ■ • ,X>i), 
dcg^„_i_i = 71 + 1. So the conditions of 3.13 are satisfied, thus finishing the proof of 
theorem 3 of [19]. □ 

There are some more appications of Theorem 3.13. 

3.15. Proposition. Let F: Zj^^ TLi he a compatible mapping such that for all 
Zi, . . . , 2:„ g Z2 the mapping F(x, Zi, . . . , z^) : Z2 ^ Z2 is measure preserving. Then 
F{f{x),2gi{x), . . . ,2gn{x)) preserves measure for all compatible gi, - - - ,gn'- ^2 
Z2 and all compatible and measure preserving f: Z2 ^ Z2. Moreover, if f is ergodic 
then f{x + 4g{x)), f{x(B{4:g{x))), f{x)+4:g{x), and f{x) ® {'^g{x)) are ergodic for 
any compatible g: Z2 —* Z2 

Proof. Since the function F is compatible, Si{F[uo, ui, . . . , 7i„) does not depend on 
Sj{uk) ~ Xj.k for j > i (see 2.1 and note thereafter). Represent 

6i{F{uo,ui, . . . ,M„)) = xo,i^i(wo,wi, . . . ,M„) + $i(-Uo,Ml, • ■ 

where Boolean polynomials ^"^(710, txi, . . . , ?i„), ^i{uo, ui, . . . , ?i„) do not depend on 
Xo,i; that is, they depend only on, may be, 

X0,0, • ■ • , X0,i-1, Xl,0, ■ • ■ , Xl.i: - - - , Xn,0: - - - : Xn,i- 

In view of 3.13 it follows that ^'^ = 1 since F{x, zi, . . . , z„) preserves measure for 
all zi, . . . , z„ S Z2. Moreover, then ^i{f{x),2gi{x), . . . , 2gn{x)) does not depend 
on Xi = Si{x) since Sj{2g{x)) does not depend on Xi for all j = 1,2, ... ,n. Now, in 
view of 3.13 one has 5i{f{x)) = Xi + Ci(/(^))j where £,i{f{x)) does not depend on 
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Xi since / preserves measure. Finally, 

5,{F{f{x), 2gi(x), . . . , 2g„(rr))) = 5,{f{x)) + 25i(x), . . . , 2g^{x)) ^ 

X^ + S,^{f{x)) + $,(/(a;), 25i(x), . . . , 2g^{x)) ^ x^ + S,, 

where the Boolean polynomial depends only on, may be, xoi ■ ■ ■ iXi-i- This 
proves the first assertion of 3.15 in view of 3.13. 

We prove the second assertion along the similar lines. For z S Z2 and i = 
0, 1, 2, . . . let = Si{z)- Thus one can consider 5i{z © ^g{z)) and 5i{z + 4g(z)) as 
Boolean polynomials in Boolean variables Co: Ci: ■ • ■ 1 0- Note that 5i{z © 4(/(z)) = 

+ Ai(z), where \i{z) = for i = 0, 1 and degAi(z) < i — 1 for i > 1, since for 
i > 1 the Boolean polynomial \i{z) depends, may be, only on Co, ... , Ci-2- 

Next, we claim that 5i{z + 'ig{z)) = di{z) + fii{z), where fJ.i{z) — fJ.f{z) is 
for i = 0,1 and deg^i{z) < i — 1 for i > 1. Indeed, Hi{z) = Xi{z) + ai{z), 
where the Boolean polynomial ai{z) is a carry. Yet ai{z) = for i ~ 0,1,2, and 
ai{z) — Ci_iA,;_i(z) + Ci-ic^i-iiz) + A,j_i (z)ai_i (z) for i > 3, and ai{z) depends 
only on, may be, Coi • ■ • Xi-i since ai{z) is a carry. However, dega3(2;) = 2 and if 
dega,j_i(z) <i — 2 then deg5i_i(z)ai_i(z) < i — 1, deg A,;_i(z)Q;i_i(z) < «— 1, and 
degCi_iAi_i(z) < i — 1 since ai_i(z) depends only on. may be, Cqt ■ ■ 1 Ci-2 and 
Ai_i(z) depends, may be, only on Co, ... , Ci-3- Thus degQ;i(z) < i — 1 and hence 
deg fii{z) <i-l. 

Now, since f{x) is egodic, 5i{f{x)) — Xi +Ci(a;), where the Boolean polynomial 
depends only on, may be, xo, • ■ • ,Xi-i and, additionally, ^0 = 1: and deg^i = i 
for « > (see 3.13); i.e. S,i{x) = XoXi ' • 'Xj-i + where degdi{x) < i — 1 

for i > 0. Hence, for * G {+,©} one has Si{f{x * 4:g{x))) = Si{x * 4g(a:)) + 
Sn{x * 4:g{x))6i{x * 4:g{x)) ■ ■ ■ Si-i{x * 4:g{x)) + di{x * 4,9(0;)); thus Si{f{x * 4p(a:))) = 
Xt + Xo--- Xt~i + Pti^)^ where dcgP*{x) < i - 1 for i > 0, and do{f{x * 4.9(2;)) = 
So{x * 4.9(2;)) + 1 = xo + 1- Finally, f{x * 4:g{x)) for * e {+,©} is ergodic in view 
of 3.13. 

In a similar manner it could be demonstrated that f{x) * 4:g{x) is ergodic for 
* e {+, ©}: Si{f{x) * 4(7(2;)) = Si{f{x)) for i 0, 1 and thus satisfy the conditions 
of 3.13. For i > 1 on has i5,;(/(x) © 4g(x)) = Xi + + S^-2{g{x)); but Si-2{g{x)) 
does not depend on Xi-i,Xi- Thus the Boolean polynomial £,i{x) + (5,; _ 2 (.9(2;)) in 
variables xo, ■ ■ ■ ,Xi-i is of odd weight, since ^1(2;) is of odd weight, thus proving 
that f{x) © ig{x) is ergodic. 

Now represent g{x) = g{f^^{f{x))) — h{f{x)), where f~^{x) is the inverse 
mapping for /. Clearly, f~^[x) is well defined since the mapping /: Z2 ^ Z2 is 
bijectivc; moreover f~^{x) is compatible and ergodic. Finally di{f{x) + Ag{x)) = 
5i{f{x)) + fj,^{f{x)), where the Boolean polynomial fi'^ix) — //f (x) in Boolean vari- 
ables xoi ■ • ■ I Xi-i does not contain a monomial Xo ■ ■ ■ Xi-i (see the claim above). 
This implies that the Boolean polynomial ^,[{f{x)) in Boolean variables xoj ■ ■ • j Xi-i 
does not contain a monomial xo • ■ ■ Xi-i either, since Sj{f{x)) = Xj~^Cjix) and ^^(2;) 
depend only, may be, on xo, • ■ • , Xj-i for j = 2, 3, . . .. Hence, 6i{f{x) + 4:g{x)) — 
Xi + ^i{x) + t^iifi^)) and the Boolean polynomial ^i(2;) + fi[{f{x)) in Boolean vari- 
ables X07 • ■ ■ I Xi-i is of odd weight. This finishes the proof in view of 3.13. □ 

3.16. Example. With the use of 3.15 it is possible to construct very fast generators 
Xi+i = f{xi) mod 2" that are transitive modulo 2". For instance, take 



fix) = {... {{{{x + Co) © do) -f- ci) © di) + ■ ■ ■ + Cm) © d, 
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where co = 1 (mod 2), and the rest of Ci, di are modulo 4. By the way, this gen- 
erator, lookmg somewhat 'Hnear', is as a rule rather 'nonlinear': the corresponding 
polynomial over Q is of high degree. The general case of these functions / (for ar- 
bitrary Ci,di) was studied by the author's student Ludmila Kotomina: She proved 
that such a function is crgodic iff it is transitive modulo 4. 

Counting the number of transitive mappings. The preceeding results enable 
us to calculate the number of all compatible transitive modulo 2" mappings of Z/2" 
onto itself and the number of them that are induced by polynomial mappings over 
Z, i.e., that could be expressed as polynomials with rational integer coefficients. 

3.17. Proposition. There are exactly 2^ -"-i compatible and transitive modulo 
2" mappings T: Z/2" — > Z/2". For n < 3 all of them could be represented as 
polynomials over Z; if n > 3, then exactly 2^i=o 4)-6 ff^^^ could be 

represented as polynomials overX (see 3.4). Moreover, X)f=o^ ("'~*+^t2 «)— 6 ~ 
as n ^ oo. Here wt2 i is the binary weight of non-negative rational integer i (i.e., 
the number of I's in base-2 expansion of i), and pin) is the biggest natural number 
k such that k — wt2 k < n. 

Proof. The first assertion is an easy consequence of 3.13: obviously, the number 
of Boolean functions of odd weight in i variables is exactly 2^ and the result 



To prove the second assertion we first note that each integer-valued polynomial 
f{x) € Qp[x] over a field Qp of p-adic numbers (that is, a polynomial, which takes 
values in Zp at each point of Zp) admits a unique representation 



for suitable oq, ai, a2, • • • G Zp, with only finite number of non-zero aq, ai, a2, . . . 
(see e.g. [3]). Further, the polynomial (3.17.1) is identically zero modulo 2" iff 
a.i = (mod 2") for all i = 0,1,2,... (see proposition 4.2 of [(>]). Lastly, the 
polynomial (3.17.1) is a polynomial over Z2 iff it could be represented in the form 
of 3.4, i.e., iff ai = (mod 2°'"^'- *') for alH = 0, 1, 2, . . . . Here and after ordp q 
stands for the greatest power of a prime p, which is a factor of q G N: p°'^'^p 1 | g, 
but pi+oi'dp I q- it 13 .y^rgll known that ordp il = ^7rT(* ^ '^^p i), see e.g. [4], Chapter 
1, Section 2, Exercise 13. 

Thus, each mapping of Z/2" onto Z/2" that is induced by polynomial over 
Z admits a unique representation by polynomial (3.17.1) of degree not greater 
than p{n), and with 00,01,02, - ■ ■ & Z/2" such that = (mod 2*~''*2 foj. 
i = 2,3, . . . . In view of 3.1, the latter polynomial is transitive modulo 2" iff oo = 1 
(mod 2), ai ee 1 (mod 4), and a, = (mod 2Li°S2(»+i)J+i) for i = 2, 3, . . . . Since 
i — wt2 i < LloS2(* + 1)J + 1 iff j = 0, 1, 2, 3, the number of all transitive modulo 
2" mappings of Z/2" into Z/2" that are induced by polynomials over Z is exactly 
2''(") , where r;(n) = 4n - 8 + J2'!=4 (n - i + wts i) = -6 + ^fig^ (n - i -I- wta i ) for 
n > 3, and 77(1) = 1, 77(2) = 2, ?/(3) 16. 

Now, to finish the proof of proposition 3.17 we only have to demonstrate that 
lim„^oo = 1- We start with estimating p{n). 

Represent n asn = 2'' +t where < t < 2^=. Verify that p(2'=+i - 1) = 2*^+1 - 1 
by direct calculations. So, p{n) = n, if n = 2'"+^ — 1 (i.e., if t = 2^^ — 1), and 



follows. 



(3.17.1) 
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p{n) = 2*^ + 5 for certain s > 0, in the opposite case (i.e., if i < 2'^ — 1). We 
claim that s < 2*^. Indeed, the function fc — wt2 fc, and hence, the function p{n) are 
nondccreasing; thus, s < 2*"'. However, assuming s = 2^ we get a contradiction: On 
the one hand, 2'^ + < = n > p(n) - wtj p{n) = 2^ + 2^ - wt2{2^ + 2^) = 2'^+^ - 1, 
but i < 2'^ - 1 on the other. Thus for t < 2*-' — 1, i.e., for 7i ^ 2'"'+^ — 1, we have 
that p{n) = 2'' + s for some t < s < 2'' — 1 since obviously p{n) > n. Hence 
n = 2'° + < > p{n) — wt2(p(n)) — 2*"' + s — 1 — wt2 s; consequently s = max{r G N : 
s — wt2 s < t + 1} = p{t + 1) by definition of the function p. Thus we proved the 
formula 

,k if < = 2*= - 1, i.e., if n = 2*^+1 - 1; 

p(n) _ p(2 + i) - ^ p(i + 1), if < < 2^- - 1, i.e., if n ^ 2"+^ - 1. 

This implies an obvious recursive procedure for calculating p(n), which halts not 
later than in k steps; mind that fc + 1 is the number of digits in base-2 expansion 
of n. We conclude finally that n < p{n) < n + [log2 n\ since the number of digits 
in base-2 expansion of n is exactly [logj nj + 1 and 2'' — 1 = 1 1 . 1 . 

r 

Now we succesively calculate 77(71) = X]r=o(*+^*2*)+X]ji"!+i('^^.?+'^t2 j)^6 = 

+ ELi wt2 » - + wt2(n + j) - 6. Finally, taking 

into the account that 



2LioE2"J+i„i [logjnj+l 

^ wt2 i < wt2 i = i 



1 i=l 1=1 



Llog2 n\ 



= (Ll0g2 7lJ +l)2Ll°g^"J < (l + l0g2 71)77 

and also that p{n) — n < log2 77, wt2(a + b) < wt2 a + wt2 &, wt2 a < I + logj a, we 
conclude that lim„_»oo = 1- D 

3.18. Note. During the proof of proposition 3.17 we have demonstrated that each 
mapping of Z/2" onto Z/2" induced by a polynomial over Z could be represented by 
a polynomial of degree not greater than p(7i) < 7T,+log2 tt., and this estimate is sharp. 
Moreover, from the final part of the proof it could be deduced that the number of 
transitive mappings of Z/2" onto itself that arc induced by polynomials over Z is 
Qj|2l"'("+i)+"(i+i°g2 ")+5(i+iog2 ") iog2 "+(i+iog2 iog2 ") iog2 "). Thc casc n = 2*^ is of 
special interest since usually the word length of contemporary processors is a power 
of 2. In this case p{n) = n+1, and for A: > 2 direct calculations of 7^(77) (see thc proof 
of 3.17) imply that the number of transitive modulo 2" mappings of Z/2" onto itself 
that are induced by polynomials over Z is exactly 2^ +(fc+i)2 -4_ p^j, instance, 
in the case tt. = 32 this makes 2^°^ transitive mappings; all of them are induced by 
polynomials over Z of degree < 33, i.e, could be expressed via arithmetic operations 
(2.0.3). Yet for 77 = 8 this makes only 2"*^^ polynomials of degree not exceeding 9. 
By the use of bitwise logical operations (2.0.1) along with arithmetic operations 
one could significantly increase the number of transitive mappings, up to 2^ -"-1^ 
Each of these mappings could be expessed as a polynomial over Q (see 3.1), yet the 
bound for its degree d raises significantly either. Namely, from the proof of 3.17 it 
follows that [log2((i + 1)J + 1 < ti for ti > 2, i.e., d < 2""^ - 2, and this bound 
is sharp. For 77 = 8, e.g., this makes 2^^^ transitive polynomials over Q of degree 
< 126. Note that for each 1 < d < pin) (rcsp., for each 1 < d < 2""^ - 2) there 
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exist an ergodic polynomial over Z (resp., a compatible and ergodic polynomial 
over Q) of degree exactly d. The number of pairwise distinct modulo 2" mappings 
induced by these polynomials may also be calculated using the ideas of the proof 
of 3.17. We omit details. 

Using uniform differentiability. Now we are going to give general descriptions 
of equiprobable (in particular, multivariate measure-preserving) mappings following 
[16, section 3], [7, Section 5], [(>, Section 5]. These mapping could be used as output 
functions of the generators assuring uniform distribution of the produced sequence, 
see 2.3. 

To describe equiprobable (and, in particular, measure preserving) mappings we 
need p-adic differential calculus techniques as well as certain notions introduced in 
[6, 16, 7]. 

3.19. Definition. A function F = (/i, . . . , /,„) : Zp""* Zp'"'' is said to be differ- 
entiable modulo p*^ at the point u = (ui, . . . ,u„) € Zp"-* if there exists a positive 
integer rational N and nxm matrix J^fc(u) over Qp (called the Jacobi matrix modulo 
p*^ of the function F at the point u) such that for every positive rational integer 
K > N and every h — (/ii, . . . , /i„) e zj,"'' the inequality ||h||p < implies that 

(3.19.1) i^(u + h) = F(u) + hF;^(u) (mod/+^'). 

In case m ~ 1 the Jacobi matrix modulo p'' is called a differential modulo . In 
case m = n a determinant of Jacobi matrix modulo p'^ is called a Jacobian modulo 
p^ . The elements of Jacobi matrix modulo p*^ are called partial derivatives modulo 
p*' of the function F at the point u. 

A partial derivative (respectively, a differential) modulo p^ are sometimes de- 
noted as (respectively, as dkF{\i) = ^^^Li %fi"^ dkXi). 

The definition immediately implies that partial derivatives modulo p^ of the 
function F are defined up to the p-adic integer summand whith p-adic norm does 
not exceeding p~^ . In cases when all partial derivatives modulo p^ at all points of 
Zp"-* are p-adic integers, we say that the function F has integer-valued derivative 
modulo p^; in these cases we can associate to each partial derivative modulo p^ 
a unique element of the ring Z/p*^, and a Jacobi matrix modulo p^ at each point 
u G Z^"^ thus can be considered as a matrix over a ring Ijp^ . It turnes out that 
this is exactly the case for compatible F . Namely, the following proposition holds. 

3.20. Proposition, ([(.i. Corollary 3.8], [7, Corollary 3.3]) Let a compatible function 
F = (fi, . . . , fm) '■ Zp"^ Zp"^ be uniformly differentiable modulo p^ at the point 
u S Zp"''. Then || ||p ^ 1j '-S-j F has integer-valued derivatives modulo p^ . 

For the functions with integer- valued derivatives modulo p^ the 'rules of differen- 
tiation modulo p^^ have the same (up to congruence modulo p^ instead of equality) 
form as for usual differentiation. For instance, if both functions G : Zp"' Zp"' 
and F: l}p^ ^ l}p"''^ are differentiable modulo p^ at the points, respectively, 
V — (vi, . . . ,Ws) and u = G'(v), and their partial derivatives modulo p^ at these 
points arep-adic integers, then a composition FoG: Zp'^' Zp™'' of these functions 
is uniformly differentiable modulo p^ at the point v, all its partial derivatives mod- 
ulo p*^ at this point are p-adic integers, and (F o G')'^(v) = GJ.(v)F^.(u) (mod p*^). 

By the analogy with classical case we can give the following 
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3.21. Definition. A function F: Zp Zp is said to be uniformly dijjerintiable 
modulo p'^ on Zp"' iff there exists K G N such that 3.19.1 holds simultaneously for 
all u € Zp"-* as soon as \\hi\\p < p^^ , {i = 1,2,..., n). The least such A' e N is 
denoted via Nk{F). 

We recall that all partial derivatives modulo p'' of a uniformly differentiable 
modulo p'^ function F are periodic functions with period p^''^^-' (see [G, Proposition 
2.12]). This in particular implies that each partial derivative modulo p'^ could be 
considered as a function defined on l^jp^^^^^ . Moreover, if a continuation F of the 
function F = (/i, . . . , /,„) : n[,"^ ^ N^"^ to the space Zp"'' is uniformly differentiable 
modulo p^ on the Zp"\ then one could continue both the function F and all its 
(partial) derivatives modulo p^ to the space Zp""* simultaneously. This imples that 
we could study if necessary (partial) derivatives modulo p^ of the function F instead 
of studying those of F and vise versa. For example, a partial derivative 

modulo p^ vanishes modulo p^ at no point of Zp"' (that is, ^^q^'^^ ^ (mod p^) 
for all u e Zp"-*, or, the same ||%^7^||p > everywhere on Zp"-*) if and only if 
^ (mod p^) for aU u e {0, 1, . . .,p^^^^^ - 1}. 
To calculate a derivative of, for instance, a state transition function, which is a 
composition of 'elementary' functions, see 3.12, one needs to know derivatives of 
these 'elementary' functions, such as (2.0.1) and (2.0.3). Thus, we briefly introduce 
a p-adic analogon of 'table of derivatives' of classical Calculus. 

3.22. Example. Derivatives of bitwise logical operations. 

(1) a function f(x) ~ x and c is uniformly differentiable on Z2 for any c G Z; 
fix) = /or c > 0, and f'{x) = 1 for c < 0, since f{x + 2"s) = /(x), 
and fix + 2"s) = /(x) + 2"s for n > /(|c|), where l{\c\) is the bit length 
of absolute value of c (mind that for c > the 2-adic representation of — c 
starts with 2''^'^) — c in less significant bits followed by 11...: —1 = 11..., 
-3 = 10111 . . ., etc.). 

(2) a function f{x) ~ xxORc is uniformly differentiable on Z2 for any c € Z; 
f'{x) = 1 for c > 0, and f'{x) = — 1 for c < 0. This immediately follows 
from (1) since uxorv = u + v — 2(a;AND-y) (see (2.0.2)); thus (xxORc)' = 
x' + c' - 2(a;ANDc)' = 1 + 2 • (0, for c > 0; or - 1, for c < 0). 

(3) in the same manner it could be shown that functions [x mod 2"), neg(x) 
and (xORc) fore G Z are uniformly differentiable on'Li, and (x mod 2")' = 
0, (negx)' = -1, (xORc)' = 1 for c > 0, (xORc)' = for c < 0. 

(4) a function f{x, y) = xxORy is not uniformly differentiable on 1,2 , yet it is 

(2) 

uniformly differentiable modulo 2 on Z2 , from (2) it follows that its partial 

(2) 

derivatives modulo 2 are 1 everywhere on Zj . 

Here how it works altogether. 

Example. A function f{x) = x + (.t^or5) is uniformly differentiable on Z2, and 
f'{x) = 1 + 2x • (xOr5)' = 1 + 2x. 

A function i^(x, y) = {f{x,y),g{x,y)) = {x®2{x /\y),(y + 'ix'^)®x) is uniformly 
differentiable modulo 2 as bivariate function, and Ni{F) = 1; namely 

F{x + T% y + 2™s) = F{x, y) + (2"i, 2™s) • (\ ^ | ^) (mod 2^-+i) 
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for all m, 71 > 1 (here k ~ min{m, 7i}). The matrix ^ \ ^ F[{x,y) is 

Jacoby matrix modulo 2 of F; here how we calculate partial derivatives modulo 
2: for instance, = My+^ . + Six . ai|«e£)| ^ 

9x^ •l + l- l = a- + l (mod 2). Note that a partial derivative modulo 2 of the 
function 2{x A y) is always modulo 2 because of the multiplier 2: the function 
a; A y is not differentiable modulo 2 as bivariate function, yet 2(x A y) is. So the 
Jacobian of the function F is deti^{ = 1 (mod 2). 

Now let F ~ (/i, • • • , /m) : Zp"'' ^ Zp™'' and /: Zp""* Zp be compatible funct- 
ions, which are uniformly differentiable on Zp"' modulo p. This is a relatively weak 
restriction since all uniformly differentiable on Zp"^ functions, as well as functions, 
which are uniformly differentiable on Zp"^ modulo p'^ for some fc > 1, are uniformly 
differentiable on Z^"^ modulo p; note that §^ = §^ = (mod p''~^). More- 

over, all values of all partial derivatives modulo p'' (and thus, modulo p) of F and 
/ are p-adic integers everywhere on, respectively, Zp"^ and Zp (see 3.20), so to 
calculate these values one can use the techniques considered above. 

3.23. Theorem. ([Ki, Theorems 3.1 and 3.2; resp., 3.7 and 3.9 in the preprint], 
[7, 5.2 - 5.5], [li, 5.2 - 5.5]) A function F: llp^ — > Zp"^ is equiprobable whenever 
it is equiprobable modulo p^ for some k > Ni{F) and the rank of its Jacobi matrix 
F{{u) modulo p is exactly m at all points u = {ui, . . . , u„ ) € (Z/p'=)("). In case 
m = n these conditions are also necessary, i.e., the function F preserves measure 
iff it is bijective modulo p^ for some k > Ni{F) and det(_F'{(u)) ^ (mod p) for 
all u = [ui, . . . ,Un) G (Z/p*^)*^"). Moreover, in the considered case these conditions 
imply that F preserves measure iff it is bijective modulo 

That is, if the mapping u i-^ F{u) mod p^^'^''^-' is equiprobable, and if the rank 
of Jacobi matrix F{(u) modulo p is exactly m at all points u e (Z/p^^'^^)'^"' then 
each mapping u F{u) mod p'' of (Z/p'')^"' onto (Z/p'')'^™) (r = 1,2,3,...) is 
equiprobable (i.e., each point u e (Z/p*")^'"^ has the same number of preimages in 
(Z/p'')("), see 2.2). 

3.24. Example, (see [19]) 

(1) A mapping 

{x, y) ^ F{x, y) = {x® 2(x A y), {y + 3x^) x) mod 2'' 

of (Z/2'')(2) onto (Z/2'')(2) is bijective for all r = 1,2,... 

Indeed, the function F is bijective modulo 2^^^^'> = 2 (direct verification) 
and det(i^{(u)) = 1 (mod 2) for all u e (Z/2)(2) (see 3.22 and example 
thereafter) . 

(2) The following mappings o/Z/2'' onto Z/2'' are bijective for all r = 1, 2, . . .: 

X {x + 2x'^) mod 2'', x (a;+(.T^ VI)) mod 2*^, x ^ (xe(.T^ VI)) mod 2'' 

Indeed, all three mappings are uniformly differentiable modulo 2, and 
Ni = 1 for all of them. So it sufficies to prove that all three mappings 
are bijective modulo 2, i.e. as mappings of the residue ring Z/2 modulo 
2 onto itself (this could be checked by direct calculations), and that their 
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derivatives modulo 2 vanish at no point of Z/2. The latter also holds, since 
the derivatives are, respectively, 

1 + 4:X = 1 (mod 2), 1 + 2a; • 1 = 1 (mod 2), 1 + 2x • 1 = 1 (mod 2) 

since (x^ V 1)' = 2x • 1 = 1 (mod 2), and (x © C)[ = 1 (mod 2), (see 3.22). 

(3) The following closely related variants of the previous mappings o/Z/2'" onto 
TLjT" are NOT bijective for all r = 1, 2, . . .: 

X {x + x^) mod 2'', X >-> + (x^ A 1)) mod 2'', x i-^ {x + {x^Vl)) mod 2'', 

since they are compatible but not bijectve modulo 2. 

(4) (see [H], also [19, Theorem 1]) Lei P(a;) = ao + aix + • • • + Odx'^ be a poly- 
nomial with integral coefficients. Then P{x) is a permutation polynomial 
(i.e., is bijective) modulo 2^ , n > \ if and only if ai is odd, (02 + 04 + • • • ) 
is even, and (03 + 05 + • • • ) is even. 

In view of 3.23 we have to verify whether the two conditions hold: first, 
whether P is bijective modulo 2, and second, whether P'{z) = 1 (mod 2) 
for z G {0, 1}. The first condition gives that P(0) = oq and P{\) — ao+ai + 
^2 + • ■ ■ must be distinct modulo 2; hence ai + 02 + • ■ • = 1 (mod 2). 
The second condition implies that P'(0) = ai = 1 (mod 2), P'(l) = oi + 
03 + 05 + ■ ■ ■ = 1 (mod 2) . Now combining all this together we get 02 + 03 + 
• • • = (mod 2) and 03 + 05 + • • • = (mod 2), hence 02 + 04 + • • • = 
(mod 2). 

(5) As a bonus, we can use exactly the same proof to get exactly the same 
characterization of bijective modulo 2^ (r = 1, 2, . . .) mappings of the form 
X I— > P{x) = ao® aix ® • • • ® Odx'^ mod T' since m u is uniformly differen- 
tiable modulo 2 as bivariate function, and its derivative modulo 2 is exactly 
the same as the derivative oi u + v, and besides, u® v = u + v (mod 2). 

Note that in general theorem 3.23 could be applied to a class of functions that 
is narrower than the class of all compatible functions. However, it turnes out that 
for p = 2 this is not the case. Namely, the following proposition holds, which in 
fact is just a restatement of a corresponding assertion of 3.13. 

3.25. Proposition. ([G, Corollary 4.6], [7, Corollary 4.4]) // a compatible function 
5 ; Z2 ^ Z2 preserves measure then it is uniformly differ entiable modulo 2 and has 
integer derivative modulo 2 (which is always 1 modulo 2). 

The techniques introduced above could also be applied to characterize ergodic 
functions. 

3.26. Theorem. ([16, Theorem 3.4, resp. 3.14 in the preprint], [V, Theorem 5.7], 
[(), Theorem 5.7]) Let a compatible function /: Zp — > Zp be uniformly differentiable 
modulo . Then f is ergodic if and only if it is transitive modulo p^2(/)+i ^y/jgy^ p 
is an odd prime, or modulo 2^^^^"^^^ when p ~ 2. 

3.27. Example. In [19] there is stated that "...neither the invcrtibility nor the cycle 
structure of a; + [x^ V 5) could be determined by his (i.e., mine — V.A.) tech- 
niques." See however how it could be immediately done with the use of Theorem 
3.26: The function f{x) — x + (x^ V 5) is uniformly differentiable on Z2, thus, 
it is uniformly differentiable modulo 4 (see 3.22 and an example thereafter), and 
N2{f) = 3. Now to prove that / is ergodic, in view of 3.26 it sufficies to demonstrate 
that / induces a permutation with a single cycle on Z/32. Direct calculations show 
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that a String 0, /(O) mod 32, p{0) mod 32 = /(/(O)) mod 32, ... , f\0) mod 32 is 
a permutation of a string 0, 1, 2, ... , 31, thus ending the proof. 

Note that both Theorems 3.23 and 3.26 share the same feature: To prove er- 
godicity (or measure preservation) of a certain mapping it sufficies to verify only 
whether this mapping is transitive (respectively, bijective) modulo for a certain 
A^. The origin of this feature is a pecularity of the p-adic distance; in fact such 
an effect goes back to Hensel's lemma. By the way, using this feature, namely, the 
fact that a polynomial / with integer coefficients induces an ergodic mapping of Z2 
onto itself iff / is transitive modulo 8 (see 3.5; note that 3.26 implies modulo 16), 
M.V.Larin proved the following theorem in a spirit of one of Rivest's 3.24(4). 

3.28. Theorem. (['J, Proposition 21]) Let P{x) = ao + ayx + • ■ • + a^.x'' he a 
polynomial with integral coefficients. Then P{x) induces a permutation with a single 
cycle modulo 2", n > 2 if and only if the following congruences hold simultaneously: 

a^ + a5 + aj + ag + ■ ■ ■ = 2a2 (mod 4); 
04 + ae + as + • • • = ai + a2 — 1 (mod 4); 
ai = 1 (mod 2); 
ao = 1 (mod 2). 

It would be of interest to understand whether an analogon of 3.24(5) for ergodic 
polynomials over Z could be proved: A straightforward application of the same 
ideas does not work since the function x © j/ is uniformly diffcrentiable modulo 2, 
but not modulo 4, cf. Theorem 3.26. 



4. Constructions 

In this section we introduce several constructions that enable one to built pseu- 
dorandom number generators out of 'building blocks' based on ergodic and cquipro- 
bablc mappings. Output sequences of these generators arc always strictly uniformly 
distributed. Other probabilistic and cryptographic properties of these generators 
are discussed in further sections. 

Our base construction is a finite automaton 21 = {N, M, /, F, uq) such that 

• the state set is finite; 

• the state transition function f : N ^ N is transitive (i.e., / is a permutation 
with a single cycle); 

• the output alphabet M is finite, and is a factor of \N\; 

• the output fimction : ^ M is equiprobable, i.e., all preimages F~^{z), 
z G M, have the same cardinality p^; 

• the initial state (a seed) uq is an arbitrary element of N. 
Under these conditions the output sequence 

Siuo) = {^^(^o), Fifiuo)), F{f^^^ (uo)), . . . , F(/(^) (uo)), . . .} 

of the automaton 21 is strictly uniformly distributed over M i.e., S{uo) is a purely 
periodic sequence, \N\ is its period length, and every element z G M occurs at the 
period exactly times, see 2.3. 
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Congruential generator of a maximum period length. This corresponds to 
a case when N = M , f is compatible and transitive mapping of the residue ring 
Z/\N\ onto itself, and F is an identical transformation (we identify with Z/|A^| 
in an obvious manner). This generator is said to be congruential since the algebraic 
notion of compatibility just means that / preserves all congruences of the ring 
Z/\N\, i.e. for all a,b G N, a = b (mod d) /(a) = f{b) (mod d) whenever 
d\\N\. 

4.1. Note. In order to avoid future misunerstanding it is important to emphasize 
here that our notion of a congruential generator differs from one of Krawczyk, 
[14]. According to the latter paper, a (general) congruential generator is a number 
generator for which the element Si of the sequence is a {0, 1, . . . , m — l}-valued 
number computed by the congruence 

k 

(4.1.1) Si = ^Q!j$j(s_„o, . . . ,s„i, So, . . . , Si_i) (mod m), 

where aj G Z, m G {2,3, . . .} and <&j, 1 < j < fc is an arbitrary integer- valued 
function. Note that this definition could be restated in the equivalent form: a 
(general) congruential generator is a number generator for which the i**^ element Si 
of the output sequence is computed by the congruence 

Si EE <I>(s_„(,, . . . , s_i,so, . . . , Si_i) (mod m), 

where, as Krawczyk notes (see [14, page 531]), $ is an arbitrary integer-valued 
function that works on finite sequences of integers. Thus, according to Krawczyk's 
definition, an arbitrary infinite sequence over {0, 1, . . . , to— 1} sliould be considered 
as a congruential generator. Such a definition is too general for the purposes of 
our paper. Results of [14] in connection with a problem of predictability of the 
generators considered in this paper will be discussed later. 

So further in the paper a congruential generator is assumed to be the automaton 
21 such that M = N,F:M—fMisa trivial permutation, and state transition 
function f , being considered as a mapping of the residue ring 'L/\N\ into itself, 
preserves all congruences of this ring. 

In case the number of states is composite, \N\ = p^^p^^ ■ ■ 'p"', Pj prime, j = 
l,2,...,t, this generator could obviously be represented as a direct product of 
congruential generators with prime power state set: Z/jA^j = Z/p"^ x • • • x Z/p"', 
and / = /i X • • • X /f , where fj = (fj) mod p"^ , fj : Zp^. l^p. is a compatible and 
ergodic mapping, j = 1, 2, . . . , 

Example. For = lO'^ = 2'^ • 5'^ the mapping f{x) — llx-l- 11"^ is transitive modulo 
10*^ for all A; = 1, 2, . . . (see 3.3 and a note thereafter). 

Thus, the case of composite number of states could be reduced to the case 
when a number of states is a power of a prime, i.e., when \N\ = p". An obvious 
disadvantage of this congruential generator is that the period length of the sequence 
{(5j(/(')(Mo)) : i ~ 0, 1,2, . . .} (where 5j(z) stands for the j*'' digit of the base-p 
expansion of z) is exactly p-''^^, i.e., only the most significant bit of the output 
sequence has a maximum period length, which is obviously equal to the period of 
the whole output sequence. 
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While being not very significant in case the output sequence is applied to simu- 
lation tasks (espesially if one uses the sequence | ^1"°'' | ; the latter use is common 

for numerical experiments), this disadvantage in general leads to a cryptographic 
insecurity of the generator whenever the function / is known to a cryptoanalyst. 
Indeed, to solve a congruence z = j[x) (mod p") (and as a result to find a key, 
which is an initial state uo in this case) one might use a version of p-adic Newton's 
method (the latter is a base of a canonical proof of Hensel's lemma). 

Namely, one solves a congruence z = f{x) (mod p), thus finding the least signifi- 
cant digit 6o{x) of X. Provided Sj{x) for j = 0, 1, . . . , k~ 1 are already found, to find 
6k{x) one has to find a (unique) solution of a congruense z = f{x) +p''fk{x, Sk{x)) 
(mod p'^^^), where x = 6o{x) + 6i{x) ■ p + ■ ■ ■ + 6k-i{x) ■ p^~^ and the mapping 
fk{-,-)- Z/p'^ X Z/p Z/p is uniqucUy determined by /. Of course, to express 
explicitly /fc(-,-) is a separate problem, yet it is easy in a number of important 
cases. For instance, fk{x, Sk{x)) = Sk{x) in case p = 2 (see 3.25). 

We may also consider a case when / is not is known to a cryptoanalyst: e.g., for 
p = 2 one may take / = 1 -I- a; -I- 4f/(a;), where g{x) is a compatible key-dependent 
function, which is not known to a cryptoanalyst. Such function / is ergodic, see 
3.15. This situation is a little better in comparison with a known /. However, the 
sequence formed of less significant bits of (mq) is predictable in both directions, 
i.e. knowing k members of the sequence {Z*-*^ ("o)} a cryptoanalyst finds 6j{f'''^^ ("o)) 
for all j < log2 k and all i ~ 0, 1,2, . . ., stretching the corresponding periods in 
both directions. Thus, a good idea is to discard less significant bits of the output 
sequence: Note that methods of [14], as it is directly pointed out there, do not 
apply to generators that output only parts of the numbers generated. So we come 
to the notion of 

Truncated congruential generator of a maximum period length. The latter 
is an automaton 21 such that |A^| = p", p prime, \M\ = p™, m < n, f ^ (/) mod p", 
/ is a compatible and ergodic mapping of Zp onto itself, F{u) ~ J , u g 

{0, 1, . . . ,p" — 1}. Note that the function F is not compatible, yet equiprobable, so 
the output sequence, considered as a sequence over Z/p™, is purely periodic with 
period length exactly p", and each element of Z/p™ occurs at the period exactly 
pTi-m ^j]-QQg^ jj]^ i^jjjg paper we are mainly focused at the case p = 2. 

An important example of such an output function F is the mapping Sj : Z2 
Z/2. It returnes the j"^ digit of z and is obviously equiprobable. We call the cor- 
responding sequence {Sj{f^^^ (z)) : i = 0, 1, 2, . . . } the j*'' coordinate sequence, since 
the sequence {/^'H-^) : * = 0, 1, 2, . . . } could be thought of as a sequence of vectors 
{{5o{f^''\z)),5i{f'''\z)),...) : i = 0,1,2,. ..} over a field Z/2 of two elements. Of 
course, the use of Sj as an output function of the automaton 21 significantly re- 
duces the performance, and the corresponding pseudorandom generator might be 
not of much practical value. Nonetheless, we have to study coordinate sequences 
to be able to prove certain important properties of output sequences of pseudoran- 
dom generators considered in the paper. In particular, while studying probabilstic 
quality of output sequences of truncated congruential generators one has to study 
correlations among coordinate sequences. We postpone these issues to Section 5. 

A truncation usually makes generators slower but more secure: general methods 
that predict truncated congruential generators are not known, see [5], [12]. However, 
such methods exist in some particular cases, for instance, when / is a polynomial 
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over Z of degree 1, and/or a relatively small part of less significant bits are dis- 
carded, see [21]. However, in general truncated congrucntial generators seem to be 
rather secure even their state transition function is relatively simple: For instance, 
an analysis made in [20] shows that for f{x) = {x + (x^ V C)) mod 2" the corre- 
sponding stream cipher is quite strong against a number of attacks. Note also that 
in generators we study here both the state transition function and output function 
could be keyed. 

Wreath products of congruential generators. This construction enables one 
to construct pseudorandom generators such that their state transition function (and 
output function) is being modified dynamically while working, i.e. generators with 
recurrence sequence of states satisfying a congruence 

Xi+i = fi{xi) (mod 2"). 

Such generators are called counter- dependent, see [L'-i, Definition 2.4]. The problem 
here is how to guarantee period length (and statistical quality) of this sequence {xi\. 
The construction we introduce below offers a certain solution to this problem; the 
idea of the construction goes back to wreath products of permutation groups. The 
exact definition (which could be found in, e.g., [22]) is not needed within a context 
of this paper; we note, however, that this construction is just a permutation that 
belongs to a wreath product of a Sylow 2-subgroup of a symmetric group on 2" 
elements by a cyclic group. 

The idea of the construction is the following: Consider a (finite or infinite) 
sequence of automata 21^ = {N, M, fj, Fj), j G J = {0, 1,2,...,} (where J is finite, 
or J = Nq). Note that all the automata 2lj have the same state set N and the 
same output alphabet M . Now produce the following sequence {zi : i = 1, 2, . . .}: 
Choose an arbitrary uq (z N and put 

zq = Fo{uo),ui ^ /o(mo); • • • = F^(wj), Wj+i = /,(uj); . . . 

That is, at the {i + step the automaton 2ti is applied to the state Ui producing 
a new state Uj+i = fi(ui) and outputting a symbol Zi = Fi{ui). 
Now we give a more formal 

4.2. Definition. Let 2lj = {N,AI,fj,Fj) be a family of automata with the same 
state set N and the same output alphabet M indexed by elements of a non-empty 
(possibly, countably infinte) set J (members of the family are not necessarily pair- 
wise distinct). Let T: J —> J be an arbitrary mapping. A wreath product 2tj Ij^jT 
of the family {21^} of the automata by the mapping T is an automaton with state 
set N X J, state transition function f{j,z) — {fj{z),T(j)) and output function 
F{j,z) = Fj{z). The state transition function f{j,z) ~ {fj{z),T{j)) is called a 
wreath product of family of mappings {fj : j € J} by the mapping T; it is denoted 
asf^fjl^^jT. 

It worth noticing here that if J = No and Fi docs not depend on i, this construc- 
tion will give us a number of examples of counter-dependent generators in a sence 
of [13, Definition 2.4]. Note also that generators we consider in this subsection 
are counter-dependent in a broader sence: Not only their state transition functions 
depend on i, but their output functions as well. 

In fact, we are already familiar with wreath products of mappings: See the 
following 
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Example. Let J = Z/2", let T: Z/2" ^ Z/2" be an arbitrary compatible per- 
mutation with a single cycle. Put N = {0,1}, ,fz{u) ~ u (S f3{z), where u £ N 
and P{z) = (3{So{z), . . . , 5„_i(z)) is a Boolean polynomial of degree n in n Boolean 
variables (so {fz} is a family of linear congrucntial generators modulo 2). Then 
/ = fz h^jT could be considered as a mapping of Z/2"+^ onto itself (we identify 
{e, z) £ N X J with z + e • 2" g Z/2"+^); moreover, / is a compatible permutation 
on Z/2"+^ with a single cycle in view of 3.13. Thus, every compatible and ergodic 
mapping modulo 2*^ could be obtained by succesive application of wreath products. 
In fact, all compatible mappings of Z/2"+^ onto itself form a group Syl2{2"^^) 
with respect to a composition. This group is a Sylow 2-subgroup of a symmetric 
group S'ym(2"+i) on Z/2"+i; it is known (see e.g. [22]) that 

Syl2{2''+^) = Sym{2) I Sym{2) Sym{2) . 

^ V ' 

n + 1 factors 

Here I stands for the wreath product of groups. 

A generalization of the above example gives the following 

4.3. Proposition. Let T: Z/2™ Z/2™, m > 1, he an arbitrary permutation 
with a single cycle, let {cq, . . . , C2^n-i} he a finite sequence of 2-adic integers, and 
let {/o, . . . , /2''«-i} he a finite sequence of compatible mappings of Z2 onto itself. 
Put Hj (x) ~ Cj+x+A- fj (x) . Then the wreath product Hj lj=o^ ^ defines a hijective 
mapping : Z2 ^ Z2 



W{x) = T{x mod 2™) + 2" 



this mapping is asypmtotically compatible and asymptotically ergodic (i.e., a = b 
(mod 2'') ^ W{a) = W{b) (mod 2*^) and W is transitive modulo 2^ for all suffi- 
ciently large k; in fact, for all k > m, see [7, 6, IG] for deffiiitions) if and only if 
E-Zo"'c,^l (mod 2). 

In other words, every recurrence sequence lAn = defined by the relation 

Xi+i = Hi mod 2"-{xi) mod 2" 
is strictly uniformly distributed sequence over Z/2" of period length exactly 2"+™ 
if and only if^^^^ ^ Cj = 1 (mod 2). 

Proof. Since wreath product of permutations on sets N and Af is a permutation on 
the direct product N x M (see 4.2), the sequence Un is purely periodic. Moreover, 
since the permutations T and I: z 1-^ {z + 1) mod 2™ arc conjugate in S'ym(2™), 
and thus both wreath products {Hj mod 2") l^Zo^ T and {Hj mod 2") f-2.o^ I have 
the same cycle structure (the same number of cycles of length £, for al\ I — 1,2,...), 
it is suffisient to study a period of a sequence Xi+i = Hi{xi) mod 2", assuming Hi = 
Hi mod 2™ for i > 2™. Further, since Wn = {Hj mod 2") i^Zo^ I S £'2/^2(2"+™), the 
period length of the sequence {xi} is a power of 2. Finally, since the mapping 
Wn - Z/2"+™ Z/2"'+™ is compatible, it is necessary and sufficient to understand 
when Wn is transitive modulo 2"+™ for all A: = n -I- to. Yet the mapping Wn 
could be considered as a function of a variable z ~ i + 2'" • x G Z/2'"+", where 
i e {0, 1, . . . , 2™ - 1} and X € {0, 1, . . . , 2" - 1}. Thus, we could apply 3.13 to study 
transitivity of Wn- Since Wn{z) = z + 1 (mod 2™) by the definition, we only have 
to calculate 6j{Hi{x)). 
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One has So{ci + x) = xo + (mod 2) and 
5j{ci + x) = X]^ P{i)xo---X]-i+l]i{xo,---,X]-i) (mod 2) (j > 0), 

where Xj = ^j{x)^ ~ '5o(ci)j 7ji(X0i ■ ■ ■ ^ Xj-i) is a- Boolean polynomial of degree 
< j in Boolean variables xot ■ ■ iXj-i- Yet (5^(4 • gj{x)) is a Boolean polynomial in 
Boolean variables • ■ • i Xj-2 for j > 2, and is otherwise. Thus, 

(4.3.1) Sj{H,{x)) EE +/3(i)xo • ■ 'Xj-i + Aj*(xo, • • ■,Xj-i) (mod 2), 

where deg Xji < j, j = 1, 2, . . ., and So{Hi{x)) = xo + (mod 2). 

Assuming C^r = 5r{z) for r = 0, l,...,TO + n— 1 one can consider for 
i S {0, 1, . . . , 2™ — 1} as a Boolean polynomial in Boolean variables Co, ■ • ■ , Cm-i; 
similarly, Xji could be considered as a Boolean polynomial in Boolean variables 
Coi • ■ • I Cm+i-i- Since the degree of Xji in variables xo, ■ • ■ , Xj-i is less than j (see 
the argument above), the degree of this polynomial in variables Co, ■ ■ ■ ,Cm+j-i is 
less than m + j. Thus, in view of 3.10 and (4.3.1), the mapping Wn is transitive 
iff deg/3 ~ m, i.e., iff the Boolean polynomial /? is of odd weight. Yet the latter is 
equivalent to the condition X]i=o ''^(*) = ^ (mod 2). This proves the proposition 
since ELo~^ /^(*) = ELo~^ (mod 2). □ 

Two important notes worth being stated here. The first of them concerns further 
generalizations of proposition 4.3 

4.4. Note. The proof of 4.3 shows that the proposition holds if Hj satisfy the follow- 
ing conditions: X]j=o ^^j(0) = 1 (mod 2) and Si{Hj{x)) = Si{x)+pi{j;x) (mod 2) 
{i — 0, 1, 2 . . .), where the Boolean polynomial pi in Boolean variables 5r{j), 5s{x) 
(r € {0, 1, . . . , m — 1}, s S {0, 1, . . . , i — 1}) is of odd weight for i > Q (see the argu- 
ment proving (4.3.1) and text thereafter). In oder to satisfy the latter condition of 
these one can take e.g. Hj{x) = x-\- hj{x), where every 5i{hj) is a Boolean polyno- 
mial of even weight in Boolean variables 5q{x), . . . , 5i-i{x) ^. Also, one can assume 
in conditions of 4.3 that, e.g., Hj ~ (cj +x)®(2- gj (x)) (or Hj ~ Cj +x + 2- gj (x)) 
for measure preserving gj, etc. 

Example. Let Hj{x) = Cj + x+ {x^ M Cj), where X]j=o ^ ^ ^ (mod 2) and Cj = 7 
(mod 8), then the recurrence sequence defined by Xi+i — C; mod 2™ + Xi -\- {xf V 
C'imod2'") 'is strictly uniformly distributed modulo 2". It is sufficient to note only 
that a:^ V 7 is an even parameter, see [2(1]. This example is a variation of theme 
of theorem 3 there, which considers similar problem for the sequence defined by 
relation Xi+i = {xi + (xf V Ci mod m)) mod 2" with odd m (the case when T acts 
on a set of odd order is discussed below). 

The second important note relates wreath products and truncation. 

4.5. Note. From the proof of proposition 4.3 immediately follows that each recur- 
rence sequence Xn defined by Xi^i ~ fi mod 2'^ixi) mod 2" with compatible fi could 
be obtained by a truncation of m low order bits of the recurrence sequence defined 
by Zi-|_i = G{zi) mod 2"+'" for a suitable compatible mapping G: Z2 ^ Z2. How- 
ever, in practice it could be more convenient to produce the sequence according to 
the law Xi+i = fi mod 2"^{xi) mod 2" than to the law 2^-1.1 = G{zi) mod 2"+™ with 
further tnmcation, since the mapping G could be extremely complicated despite 



^Such mappings hj are called even parameters in [20] 
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all fi are relatively simple. As a bonus we have also that all the results that are 
established further in the paper for truncated congruential generators remain true 
for generators of form Xi+i ~ fi mod 2™ (a^'i) niod 2". 

Using ideas of proposition 4.3 it is possible to handle a case when T acts on a 
set of odd order. 

4.6. Proposition. Let m > 1 be odd; let, further, {/o, • ■ • , /m-i} be a finite se- 
quence of compatible and ergodic mappings 0/Z2 onto itself, and let {do, . . . , dm-i} 
be a finite sequence of 2-adic integers such that 

• Y^^=o '^3 = (mod 2), and 

• the sequence {di mod m mod 2 : i = 0, 1, 2, . . .} is purely periodic with period 
length exactly m. 

Put Hj{x) — dj © fjix) {respectively, Hj{x) — dj + fj{x)). Then the wreath 
product {Hj mod 2") fjlZ^ I , where = (j + 1) mod m, defines a permutation 
W : Z/2"m Z/2"m with a single cycle. 

Moreover, a recurrence sequence Wn = {xi G Z/2"} defined by the relation 

Xi+i = mod m.{xi) mod 2" 

is a strictly uniformly distributed purely periodic sequence with period length exactly 
2"m such that every element o/Z/2" occurs at the period exactly m times. 

Obviously, it is sufficient to prove only the second part of the statement. We 
need the following 

4.7. Lemma. Let go, . . . ,gm-i be a finite sequence of compatible mappings 0/ Z2 
onto itself such that 

• gj{x) = X + Cj (mod 2) for j = 0, 1, . . . , to — 1, 

• E"L^^Cj = 1 (mod 2), 

• the sequence {ci mod m mod 2 : i = 0, 1, 2, . . .} is purely periodic with period 
length exactly m, 

• Sk{gj{z)) = Ck + 'fiiiCo, Cfc-i) (mod 2), fc = 1, 2, . . where (r = 5r{z), 
r = 0,l,2,..., 

• for each k = 1,2, ... an odd number of Boolean polynomials ^^(Coi • ■ • j Cfe-i) 
in Boolean variables ■ • ■ j Cfc-i ^^^^ 0/ odd weight. 

Then a recurrence sequence y ~ {xi G Z2} defined by a relation Xi+i = gi mod m{xi) 
is a strictly uniformly distributed sequence over 1j2- it is purely periodic modulo 2^ 
for all k = 1,2, .. . with period length exactly 2^m, and with each element of Z/2'^ 
occuring at the period exactly to times. Moreover, 

(1) 2*+^m is a (not necessarily exact, see definition 2.4) period length of the 
sequence Vg = {Ss{xi) : i = 0, f , 2, . . .} (s = 0, 1, . . . , A: — f ), 

(2) d,ix,+2srn) = Ss{x,) + 1 (mod 2) for all s ^ 0, 1, . . . , k - 1, ^ = 0, 1, 2, . . 

(3) for each t = 1,2, ... ,k and each r = 0, f , 2, . . . the sequence 

Xr mod 2*, Xr+m mod 2*, Xr+2m mod 2*, . . . 

is a purely periodic sequence of period length exactly 2*, and each element 
o/Z/2* occurs at the period exactly once. 

Note. In view of 3.13 the conditions of the lemma imply that all the mappings gj 
preserve measure. 
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Proof of lemma 4-7. Since every gj induces a permutation modulo 2" (see 3.13), 
the wreath product (gj mod 2^) IJ^Sq^ / is a permutation Rk on Z/m x Z/2'^; hence, 
the recurrence sequence yk defined by a relation — gi mod m{xi) mod 2^^ is 

purely periodic. 

We continue the proof of the lemma with induction on k. For k — I one has 

Xi+i = (ci mod m + Xi ) mod 2, 

Thus, Xj = 2;o + X]j=o ''J mod m (mod 2), and we have to calculate an exact length P 
of a period of a sequence bi = (Sj=o "^i mod m) mod 2 (see definition 2.4). Yet = 
'^f^i ^ Cj mod jn (mod 2) for all i; this means that the sequence C = {cj mod m mod 
2} is a linear recurrence sequence over a field Z/2 with characteristic polynomial 
1+2/+- • -+2/^""^ G (^/2)[2/] (see e.g. [17] for definitions). Since the latter polynomial 
is a factor of a polynomial — 1, P is a period length of the sequence C. Yet m is 
an exact period length of the sequence C, so m must be a factor of P. Yet x^+m = 

— mod m 

^ xq + I (mod 2), and a;j+2m = xq + 2 ■ Y^''- 

— mod m = Xq 

(mod 2); thus, P = 2m. This proves the lemma for fc = 1, since Vq = J^i in this 
case. 

Now let the lemma be true for k ~ n; consider k ~ n + I. Denote Sn{xi) = xln 
then 

i-l 

(4.7.1) Xn^x1 + Y.^n{xl---,xi-i) (mod 2). 

Since by the induction hypothesis the period length of the sequence is exactly 
2"m, and since all gj are compatible, the period length of yn+i is a multiple of 
2"m; thus only two cases are possible: the exact period length of 3^n+i is either 
2"+-'^m, or it is 2"m. We shall prove that the latter case does not take place. To 
do this we only have to demonstrate that Xn ^ Xn (mod 2). In view of the 
induction hypothesis one has 

2"m-l+r 

(4.7.2) xl"^^'-^x:.+ E ^iixl---,xi-i)^ 

ni—l 

Xn+Y. E '^^.(Co,...,C«-i)^X;; + l (mod 2), 

j=0 z6Z/2'> 

for all r = 0, 1, 2, . . ., since an odd number of Boolean polynomials ip'^, Lp]^, . . . <y3™^^ 
are of odd weight. This proves (2) of the lemma's statement; also, as (4.7.2) implies 
X^"" ^ Xn (mod 2), the exact period length of 3^„+i is 2"+^m in view of the above 
note. Morover, congruence (4.7.2) imphes '"+'" = = (mod 2), thus proving 
claim (1) of the lemma. Last, by claim (3) of the induction hypothesis the following 
string of 2"m numbers 

Xr mod 2", Xr+m mod 2", Xr+2m mod 2", . . . , Xr+(2"-i)Tn mod 2" 

is a permutation of 0, 1, 2, ... , 2" — 1. Hence, all the numbers 

Xr-i •^r+m; •^r+2m5 ■ ■ ■ 5 *^r+(2" — l)m 
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are pairwise distict modulo 2"+^. Thus, for each z G {0, 1, . . . , 2" — 1} among the 
numbers 

(4.7.3) Xr, Xr+nn Xr+2m, ■ • ■ j 2^r+(2" + i — l)m 

there exist exactly two numbers (say, Xu and Xv) such that u ^ v and z = Xu = Xv 
(mod 2"). Thus, u = v (mod 2"m) in view of claim (3) of the induction hypothesis. 
Hence necessarily v = u + •2"to. But then Xu ^ Xy (mod 2"+^), since (5„(a;„) = 
Sn{xv) + ^ (mod 2) in view of (4.7.2). Thus, all 2"+^ numbers of (4.7.3) are pairwise 
distinct modulo 2"+^. This proves claim (3) of the lemma. 

Since, as we have already proved, the sequence J^n+i is purely periodic with 
period length exactly 2"+^m, a finite sequence 

xq mod T+\xi mod 2"+\ . . . ,a;2n+i_i mod 2"+^ 

is a period of Xi+i- But according to already proven claim (3), among these 
numbers there exist exactly m numbers that are congruent to z modulo 2"'^^ for 
each given z € {0, 1, . . . , 2"+^ — 1}. This completes the proof of the lemma. □ 

Note. Nowhere in the proof of lemma 4.7 we used that m is odd. Hence, the lemma 
holds for arbitrary, and not necessarily odd to > 1. 

Proof of proposition 4-6- The proof of proposition 4.6 for a case iTj (a;) — dj® fj{x) 
is now obvious in view of 3.13 and lemma 4.7: Note only that the sequence {dj + 
1 : = 0, 1, 2, . . .} satisfies conditions of the lemma. So to finish the proof we only 
have to consider a case Hj = dj + fj{x). 

The proof in the latter case goes along the lines similar to those of lemma 4.7. 
Namely, for n = 1 one has x^+i = {di mod m + Xi + 1) mod 2, since every ergodic 
mapping modulo 2 is equivalent to the mapping x ^ x + 1, see 3.10; so putting 
Ci = + 1 returns us to the situation of lemma 4.7 whenever n = 1. 

Assuming the proposition is true for n = k prove it for n = fc + 1. In view of 
3.13 we have that for s > 

5s{Hj{x)) = xs + {dj + l)xo • --Xs-i + ijlixo, ■ ■ • ,X.s-i) (mod 2), 

where degV's < s (this congruence could be easily proved by induction on s: the 
coefficient of the monomial xo • • • Xs-i in the Boolean polynomial that represents 
a carry to s*'^ digit is So{dj)). Thus, for fc > 1 one obtains 

2'"m-l 2'''m-l 

Xr"=X°+ J2 K■mod,n + l)X^■■xLl+ ^lixl---,Xi^i) = 

3=0 j=0 
7n — 1 m — 1 

x° + E(^^- + i) E Co---a-i + E E ^^(Co,...,a-i)^ 

xt + l (mod 2), 

since all Boolean polynomials V'fc(Coj • ■ • i Cfe-i) S'l'c of even weight. This completes 
the proof of the proposition. □ 

Example. A mapping gj{x) = x + (.t^ V Cj) is ergodic iff (5o(Cj) = 1 a-nd ^2(^0) ~ ^ 
(see 3.14). Let a sequence {dj : j — 0,1,2, . . .} satisfy conditions of proposition 4.6. 
Then the sequence {xi+i = Xi + di + {xf V d) mod 2" : i = 0, 1, 2, . . .} is purely 
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periodic modulo 2^ for all fc = 1,2,... with period length and each element 

of Z/2'° occurs at the period exactly m times. 

This is another variation of theme of [20, Theorem 3]. Note that we prove a 
somewhat stronger claim: Not only a sequence of pairs {yi,Xi) defined by yt+i = 
{Ui + 1) mod to; x^+i — {xi + di + {xf V Cj,. )) mod 2" is periodic with period length 
2"to, yet the period length of the sequence {xi} is 2"to. The latter could never be 
achieved under the conditions of Theorem 3 of [20]: They imply that the period 
length of the sequence {xi (mod 2)} is 2, and not 2m. 

Note. Obviously, after corresponding restatement proposition 4.6, as well as lemma 

4.7. remain true for arbitrary permutation /: Z/to Z/to with a single cycle. 

In connection with proposition 4.6 there arises a natural question: how to con- 
struct a sequence {dj} that satisfies its conditions? 

4.8. Proposition. Let m > 1 be odd, and let u: Z/to TLjm he an arbitrary 
permutation with a single cycle. Choose arbitrary z £ Z/m and set di = u^^'>[z) mod 
m, if m = \ (mod 4), or set di = (u'^'^(z) + 1) mod to otherwise {i = 0, 1, 2, . . .). 
Then the sequence V = {di} satisfies conditions of proposition 4- 6: that is, V is 
purely periodic with period length exactly m, and X^Jlo = ^ (mod 2). 

Proof. Obviously, the sequence V is purely periodic. Let P be the period length 
of v. Thus, P is a factor of m. Note that since to = 2s + 1, exactly s numbers of 
0, 1, . . . , TO— 1 are odd. Denote (respectively, ri) the number of even (respectively, 
odd) numbers at the period of P: so = s, and = s + 1. Thus, ^(ro — ri) = 
1; hence ^ = 1. So, the period length of V is exactly m. The result now follows 
since « = (mod 2) iff s = (mod 2). □ 

4.9. Note. Thus, to construct a sequence {dj} of proposition 4.6 it is sufficient to 
construct a permutation with a single cycle modulo m. Of course, this could be 
done in various ways, depending on extra conditions the whole generator should 
satisfy. For instance, if one intends to use maximum of memory calls instead of 
computations on the fly, he can merely take an arbitrary array of {0, 1, . . . , m — 1} 
in arbitrary order. On the contrary, if one needs to produce dj on the fly, he could 
construct a corresponding generator modulo m with a compatible state transition 
function and a bijectivc modulo to output function. This could be done e.g. with 
the use of 3.5, 3.7, 3.8, and 3.10. In case to = 2'"' — 1 an alternative way is to use 
linear recurrence sequences of maximum period over Z/2: note that often sequences 
of this kind could be constructed with the use of xor's and left-right shifts only, see 
e.g. [23]. 

The above results of this subsection show how to construct a sequence Xi+i = 
fi mod m{xi) mod 2" of maximum period length 2"to in two cases: when m is odd, 
and when to = 2^^. Now we consider a general case of arbitrary to > 1. 

4.10. Theorem. Let Q = {g^, . . . , gm-i} be a finite sequence of compatible measure 
preserving mappings of Z2 onto itself such that 

(1) the sequence {{gi mod m(0)) mod 2: i ~ Q, 1,2, ...} is a purely periodic se- 
quence with period length exactly to; 

(2) ET=o'9^iO)^l (mod 2),- 

(3) E;ro' Eto' 9,iz) ^ 2^ (mod 2'^+^) for all k ^ 1,2, ... . 
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Then the recurrence sequence Z defined by the relation Xi+i = gi mod mixi) is 
strictly uniformly distributed modulo 2" for all n = 1,2,... : i.e., modulo each 
2" it is a purely periodic sequence with period length exactly 2"to and with each 
element o/Z/2" occuring at the period exactly m times. 

Note. Since in view of 3.13 a compatible mapping gi'. 1^2 ^ 2^2 preserves measure 
iff 

Sk{gi{x)) = Xk + V^Uxo, ■ ■ ■,Xk-i) (mod 2), 
where Xs = Ss^x) (s = 0,1,2,...), the condition (3) of theorem 4^.10 could be 
replaced by the equivalent condition 

m — 1 

^wtv3^ = l (mod 2) (fc = l,2,...), 

3=0 

where wt LfP^, is a weight of the Boolean polynomial (fPf, in variables xot ■ ■ ^ Xk-i- 
In turn, since for every Boolean polynomial (f in variables xoj---jXfc-i holds 
wt<p = Coefo,...,fc-i((y5) (mod 2), where Coefo,...,fc-i(</?) stands for a coefficient of 
the monomial xo ■ ' ' Xk-i in the Boolean polynomial (p, the latter condition could 
be also replaced by 

m— 1 

^Coefo,...,fc_i((pi) = l (mod 2) (fc - 1, 2, . . .), 



or by 



E 



deg 



1 (mod 2) (fc = l,2. 



Proof of theorem 4-10. Practically everything is already done during the proof of 
4.7: we just note that congruence (4.7.2) now holds in view of condition (3) of the 
theorem. □ 

Note. For m ~ 1 theorem 4.10 turns into ergodicity criterion 3.13: so theorem 4.10 
could be considered as a generalization of this criterion. 

Theorem 4.10 is our main technical tool in constructing automata with strictly 
uniformly distributed recurrence sequences Xi+i = fi{xi) of internal states out- 
putting strictly uniformly distributed sequences of the form Fo(a;o), ^i(a^i), . . . . 
The above mentioned results (e.g. 4.4and 4.6) could be derived from theorem 4.10, 
as well as new results for even m that is not power of 2 could also be obtained with 
the use of it: 

Example. For instance, take odd s, 1 < s < m, and take s arbitrary compatible and 
ergodic mappings gj : Z2 Z2, (j = 0, 1, . . . , s— 1). Take m—s arbitrary compatible 
and measure preserving mappings hk : Z2 — *■ Z2, and set gkix) = x (B 2hk{x) {k = 
s, s + 1, . . . , m — 1). Then in view of 3.13 it is easy to see that a finite sequence 
{gi'. i = 0, 1, . . . , m— 1} satisfies conditions of theorem 4.10, and thus the recurrence 
sequence Xi+i = gi mod 7n{xi) is strictly uniformly distributed modulo 2" for all 
n= 1,2,... . 

4.11. Note. During the proof of theorem 4.10 and of lemma 4.7 we have demon- 
strated that every j*'' coordinate sequence Vj ~ {6j{xi): i — 0,1,2,...} (j = 
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0, 1,2,.. .) is a purely periodic binary sequence of period length 2^^^m, and the sec- 
ond half of the period is a bitwise negation of the first half. Sj{xi^2im) = ^ji^i) + 1 
(mod 2), i = 0, 1, 2, . . . (sec claims (l)-(2) of lemma 4.7). Note, however, that the 
exact period length P of the sequence {Sj{xi) : z = 0, 1, 2, . . .} could actually be less 
than 2-'+^m, i.e., P|2-'+^m, yet not necessarily P ~ 2^+^m (however, P is always 
a multiple of 2^+^, see 5.6). Indeed, the sequence 101010 ... is a purely periodic 
sequence with period 10 of length 2; at the same time it could be considered as a 
purely periodic sequence with period 101010 of length 6. Note that in both cases 
the second half of the period is a bitwise negation of its first half. Such an effect 
could never occur for j = 0, since Vq = 3^i, and the latter sequence has period 
length exactly 2m in view of lemma 4.7. However, this effect could occur for senior 
coordinate sequences. For instanse, let Vq be a purely periodic sequence with pe- 
riod 111000; let T>i be a purely periodic sequence with period 110011001100. The 
exact period length of Vi is 4; yet it could be considered as a sequence of period 
12, and the second half of the period is a bitwise negation of the first half. The 
sequence 3^2 in this case is a purely periodic sequence with period 331022113200. 
It is not difficult to demonstrate that this sequence 3^2 satisfy lemma 4.7, i.e., one 
could construct mappings <7o7<7i,52 satisfying the lemma, such that outputtcd se- 
quence 3^2 is our sequence with period 331022113200. A characterization of possible 
output sequences is given by theorem 5.10 further. 

Finally we consider a case of wreath products of automata with non-identity 
output functions. 

4.12. Corollary. Let a finite sequence of mappings {/o, . . . , fm~i} ofTL-j into itself 
satisfy conditions of theorem 4-10, and let {Fq, . . . , Fm-i} be an arbitrary finite 
sequence of equiprobable [and not necessarily compatible) mappings ofLjl'^ (n > 1) 
onto Z/2'^, 1 < k < n. Then the sequence F = {i^i mod m(a^i) ■ * ~ 0ili2...}, 
where Xi+i = fimodm{xi) mod 2", is strictly uniformly distributed over Z/2'^ : It 
is purely periodic with period length 2"to, and each element of TLjl^ occurs at the 
period exactly 2"~'°to times. 

Proof. Obvious: combine claim (3) of lemma 4.7 and proposition 2.3. □ 

Note that the results of this subsection could be extended to cover the case 
p odd, that is, to the case of wreath products of the form Hj I^^q^ T, where 
T: Z/p"' Z/p'" (and even for HjI'JITqT, where T: Z/m Z/m, m > 1 ar- 
bitrary rational integer). This case is also of cryptographic importance: the cor- 
responding techniques could be used e.g. to construct sequences of type I? of 
proposition 4.8. However, this is an issue of a forthcoming paper. 

Equalizing period lengths of coordinate sequences. All the generators with 
the identity output function considered above demonstrate a property, which is 
already mentioned at the beginning this section, and which in loose terms could 
be stated as follows: Less significant bits of output have smaller periods. To be 
more exact, despite for any of these automata the corresponding output sequence 
S = {so, si, . . .} over Z/2" is always purely periodic of period length exactly 2"f 
(where £ = 2™ for sequences outputtcd by wreath products of automata described 
by 4.3 or 4.5, ^ = m in case the wreath products are of 4.6, 4.7, or 4.10, and 
£ = 1 for congruential generators of a maximum period length), the j*'' coordinate 
sequence Sj{S) — {6j{so),Sj{si), . . .} could be of smaller period length (see e.g. 
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note 4.11 above). In fact, as it is shown further, the exact period length of the j*'' 
coordinate sequence of congruential generator of a maximum period length is 2-'"^^ 
(see 5.1); it is a factor of 2^~^^£ and a multiple of (which is possibly equal to) 2^+^ 
for wreath products of generators (see 5.6). So only senior coordinate sequence 
Sn-i{S) may achieve exact period length 2"£; at least, the exact period length of it 
is not less than 2" . Nothing more could be said either if we use general non-identity 
equiprobable output functions (see 2.3 and 4.12). However, such a "disbalance" of 
periods could be cured if we apply non-identity output functions in some special 
way. 

Namely, let tt = tt^ be a bit order reversing permutation on Z/2", which was 
defined in section 2, and let hi [i ~ 0, 2, . . . ,m — 1) be compatible and ergodic 
mappings of Z2 onto itself. Then the composition Fi{x): x ^ {hi(Tr{x))) mod 2" 
{x G {0, 1, . . . , 2" — 1}) is a bijective mapping of Z/2" onto itself. We argue that 
if we take Fi as an output function, then the sequence T of 4.12 is free of less 
significant bit effect mentioned above. To be more exact, the following proposition 
holds: 

4.13. Proposition. Let /i^, i = 0, 1, 2, . . . , m — 1, be compatible and ergodic map- 
pings 0/Z2 onto itself. Define F,: Z/2" Z/2" by F,{x) = {hi{TT{x))) mod 2" 
{x € {0, 1, . . . , 2" — 1}), where tt = tt^ is a bit order reversing permutation on Z/2" 
(see Section 2 for the definition of the latter). Consider a sequence J- over Z/2" 
defined in 4-12. Then the exact period length of the j*'' coordinate sequence Sj{J-) 
(j = 0, 1, 2, . . . , 71 - 1) is 2"kj, where I < kj < £. 

Moreover, the same holds if m = 1 {and whence £ = 1), i.e., when T is an 
output sequence of the automaton 21 = {N, M, f ^F^Uq) , where N = M = Z/2", 
f ~ f mod 2", / and h are compatible and ergodic mappings of Z2 onto itself, 
F{x) = {h{Tr{x))) mod 2", a; € {0, 1, . . . , 2" - 1}: The exact period length of the j*^ 
coordinate sequence Sj{J-) is 2" for all j = 0, 1, 2, . . . , n — 1. 

Note. Hence, J- is a purely periodic sequence of period length exactly 2"m, and 
with each element of Z/2" occuring at the period exactly m times (see 4.12,2.3). 

To prove this proposition we need the following easy 

4.14. Lemma. Let X ~ {xi : i = 0, 1, 2, . . . } and y ~ {yi : i = 0, 1, 2, . . . } 6e purely 
periodic sequences over Z/2 with exact period lengths 2" and 2", respectively, and 
let u > v. Then the sequence X (By = {Xi © : i = 0, 1, 2, . . . } is purely periodic 
with period length exactly 2" . 

//, additionally, Xi+2"-i = Xi -\- 1 (mod 2) for all i = 0, 1, 2, . . and if y is a 
non-zero sequence, then the sequence X Q y = {xi ■ yi'. i — 0, 1, 2, ... } is purely 
periodic with period length exactly 2". 

Proof of lemma The first assertion of the lemma is obvious. To prove the sec- 

ond one assume P is the exact period length of the sequence {xi -yi : i = 0, 1, 2, . . . }. 
Then P ~ 2'^ for suitable s < u. Yet if s < w, then Xi^2^-^ ■2/i+2"-i = Xi -yi (mod 2) 
for all i = 0, 1, 2, . . .; thus {xi + 1) • yi = Xi ■ yi (mod 2) and hence yi = (mod 2) 
for all i = 0, 1, 2, . . .. A contradiction. □ 

Proof of proposition 4-13. In view of assertions (2) and (3) of lemma 4.7, each sub- 
sequence J-{r) = {zr+tm- t — 0,1,2,...}, r = 0,1,..., to — 1, of the sequence 
T ^ {zi : i ~ 0, 1,2,.. .} satisfies the following condition: Each coordinate sequence 
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Sj{J-'{r)) is a purely periodic sequence of period length exactly 2-'+^, and the sec- 
ond half of the period is a bitwise negation of the first half, i.e., <5j (2r+(t+2J)m) = 
Sj{zr-\-tm) + 1 (mod 2) for all t = 0, 1, 2, . . .. Thus, in view of theorem 5.9, which is 
proved further, the sequence J^{r) is an output sequence of a suitable automaton 
25 = (Z2,Z/2", /, mod2", Zr), where / is a compatible and ergodic mapping of Z2 
onto itself. Thus, the first assertion of the proposition follows from the second one, 
i.e., it is sufficient to consider only a case m = 1. 

Now represent ft, in a Boolean form according to 3.13. So, 

Sj{h{x)) = Xj + Vj(Xo, • ■ • (mod 2), 

where Xk = ^k{x), and Lpj is a Boolean polynomial of odd weight in Boolean 
variables XOt ■ ■ iXj-i for j > 0, (^0 = 1- Note that for j > 

(4.14.1) 5j{h{x)) = Xj+Xo ■ Xi ■ ■ -Xj-i + Vj(xo, ■ ■ ■,Xj-i) = 

X] + Xo • ai(xi, ■ • ■ , X]-i) + /?j(xi, ■ • ■ ,Xj-i) (mod 2), 

where iJjj,aj,Pj are Boolean polynomials of corresponding Boolean variables, and 
degipj < J, so Qfj is a non-zero polynomial. 

For binary sequences U,V,W, . . . (which could be treated as 2-adic integers) 
and a Boolean polynomial 7(u, . . .) of Boolean variables v,iy,Lu,... denote 
7(Z^, V, yy, . . .) a binary sequence S (thus, a 2-adic integer) such that 

5,{S) EE j{S,{U),5,{V),5,{W), . . .) (mod 2), 

for all j = 0, 1,2, . . .. Loosely speaking, we just substitute, respectively, XOR and 
AND for + and • in the Boolean polynomial 7 and let variables u, a;, . . . run through 
the space Z2 of 2-adic integers. Thus we obtain a well defined multivariate function 
7 on Z2 valuated in Z2. Since there is a natural one-to-one correspondence between 
infinite binary sequences and 2-adic integers, the sequence 7(W, V, W, . . .) is well 
defined. Note also that treating binary sequences as 2-adic integers enables one 
to produce infinite sequences of n-bit rational integers out of n infinite binary 
sequences in an obvious manner: Say, U + 2-V+^W is a sequence N = {riQ, rii, . . . € 
No} such that = 5j{U) + 2- 5j{V) + A- 5j{W) for j = 0, 1, 2 . . .. For instance, 
if = 101 . . ., V = 110 . . ., and W = 010 . . ., then TV = 361 ... is a sequence over 
{0,l,...,7} = Z/8. 

Proceeding with these conventions, let Cj (respectively, Vj) be the j*'^ output 
sequence of the automaton S (respectively, 2t). Let £ = 111 . . .. Then in view of 
(4.14.1) one has: 

I?o = Cn-i © E; 
Vi =C„_2©C„_i©e; 

V-j = Cn-]-l ffi Cn-1 aj(C„-2, • ■ • ,Cn-j) © /3j(C„_2, • ■ • ,Cn~j) (j < 2), 

where B = (3i(3i(3i ... is a constant binary sequence. Note that Ci is purely periodic 
binary sequence of period length exactly 2'+^, and the second half of the period 
is a bitwise negation of the first half, see 5.1 further. This completes the proof of 
proposition 4.13 in view of lemma 4.14 and conventions made above, if we prove 
that the sequence aj(C„_2, . . . ,C„_j), 2<j<7i— l,isa non-zero binary sequence. 

Consider a sequence Gj = 2"-^ • C„_2 + + 2""^ • C^-j over Z/2^-i. The latter 
sequence is just an output sequence of the automaton (5j = (Z/2"~^, Z/2-'~^, / mod 
2"^^, T„_j_i, u), where Tn-j-i is a truncation of the first n — j low order bits: 
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Tn-j-i{z) ~ J . Thus, Qj is a purely periodic sequence of period length exactly 
2"^^ and with each element of TLjV^^ occuring at the period the same number of 
times. Yet aj is a non-zero Boolean polynomial (see above); thus it takes value 1 
at least at one (j — l)-bit word of Consequently, at least one member of 

the sequence q;j(C„_2i • ■ • ^C,n-j) is 1. □ 

Note. There are other methods that improve periods of coordinate sequences. For 
insatnce, using the ideas of the proof of 4.13 it is not difhcult to demonstrate that 
if a recurrence sequence is defined by a relation Xi+i = f{xi), where /: Z2 — ^ Z2 is 
compatible and ergodic mapping, then a binary sequence {Sk{xi + 2^ ■ Ss{xi)): i = 
0,1,2,...} is purely periodic with period length exactly 2'^ whenever j < k < s. 
From here it could be deduced that e.g. the sequence 

2 = \^[xi+TTl(^ mod 2*^)) mod2'': i = 0,l,2,...| 

is a purely periodic sequence over 2/2*^ of period length exactly 2^*^, such that each 
element of 'L/2^ occurs at the period exactly 2^ times, and that each coordinate 
sequence of Z is purely periodic binary sequence of period length exactly 2"^^ . Note 
that Z is obtained according to a very simple rule: at the i*^ step take (2fc)-bit 
output of congruential generator of a maximum period length with state transition 
function /, read the second half of this output as a fc-bit number in reverse bit 
order and add this number modulo 2^ to the fc-bit number that agrees with the 
first half of the output. 



5. Properties 

In this section we study common probabilistic, cryptographic and other proper- 
ties of output sequences of the generators considered in preceeding sections: Linear 
and 2-adic spans of these sequences, their structure, distribution of fc-tuples in 
them, etc. We begin our study with properties of coordinate sequences of the au- 
tomata considered above, that is, of the sequences {5j{si) : i = 0, 1, 2, . . .}, where 
{si\ is the output sequence of the automaton. 

Properties of coordinate sequences. To study coordinate sequences it is con- 
venient to consider an automaton 21' with a state set Z2, compatible and ergodic 
state transition function /: Z2 — > Z2 and with identity output function F{z) = z. 
We also consider an automaton 21^ which differs from 2t' only by the output func- 
tion, which is 5j{z) in this case. Thus the output sequence of 21^ is just the j*'' 
coordinate sequence Sj = {s.; = 6j{f^^\z)) : i = 0,1,2,...} of the automaton 
21' (here z S Z2 is the initial state of the automaton 2t'). Note that since / is 
compatible, we may assume if necessary that z G Z/2''"'"^, i.e., that all but pos- 
sibly the first j -I- 1 junior bits of 2-adic representation of z are 0. That is, the 
output sequence of the automaton 2t^ is the same as the one of the automaton 
21 = (Z/2J+1, Z/2, / mod 2^+1, (5^, z mod 2^+^), see Section 2. 

It turnes out that the j*'^ coordinate sequence has rather specific structure. 
Namely, the following theorem holds. 

5.1. Theorem. The j*'' coordinate sequence is purely periodic, and 2^'^^ is the 
length of its period. The second half of the period is a bitwise negation of its first 
half, i.e., Sj_|_2J =5^ + 1 (mod 2) for each i = 0, 1, 2, . . .. 
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Proof. Since the mapping / : Z2 —>■ Z2 is compatible and ergodic, the sequence 
{xi+i ~ f{xi) mod 2^+^ : i = 0, 1, 2, ... } is purely periodic, with 2-'+^ being the 
length of its period, whereas the sequence {xi+i = f{xi) mod 2^ : i = 0, 1, 2, . . . } 
is purely periodic, and the length of its period is exactly 2-' . Yet Xi+i mod 2^+^ = 
Xi+i mod 2^ + 2^ Sj{xij^i), and the first assertion of 5.1 follows. 

Supposing Sj{xi+i) = 5j(a;i_|_i_|_2j) for some i, from the preceeding equality 
one obtains 0:^4,1+23 = Xi+i (mod 2-'+^), and hence Xi+t+i+2i = /'•*•' (2^1+1+2^ ) = 
= Xi+t+i (mod 2-'+^) for alH = 0, 1, 2, . . . , in view of compatibility of /. 
So the length of the period of the sequence {xi mod 2^~^^ : z = 0, 1, 2, . . . } does not 
exceed 2^ , in contradiction with the ergodicity of /, see 2.2. □ 

5.2. Note. Theorem 5.1 could be generalized in two directions. First, to output 
sequences of wreath products of automata (this is already done, see 4.11), and 
second, to the case p odd. 

In the latter case provided transformation / : Zp — > Zp is compatible and ergodic, 
the j'^ coordinate sequence {5^ (/'•*•' (z)) : i = 0, 1,2, . . .} is purely periodic, with 
p^^^ being the length of its period (here and further within this remark Sj{z) stands 
for the j'^ digit in base-p expansion of z). Each subsequence {Sj{f^^^^*''{z)) : 
t — 0, 1, 2, ... } is a purely periodic sequence with p being the length of period; 
moreover, for j > it is generated by a linear congruential generator modulo p, 
i.e., by a polynomial a + x for appropriate a € {1, 2, ... ,p — 1}. So this sequence is 
strictly uniformly distributed modulo p: each u £ "L/p occurs at the period exactly 
once. The generator (5o(/^*H^)) 

is a (generally speaking, nonlinear) congruential 
generator of the form w^+i = g{vi) (mod p) for an appropriate transitive modulo p 
polynomial g{x) over a field Z/p of residues modulo p. 

A proof of this assertion could be deduced from the proof of theorem 3.4 of 
[Ki] since in view of the p-adic Weierstrass theorem (see [3]) a transformation 
z ^ f{z) modp^^^ of the residue ring Z/p^~^^ may be considered as a polynomial 
transformation z w(z) modp^^^ induced by an integer-valued and compatible 
polynomial w{x) € Q[x], i.e., by a polynomial of the form mentioned in 3.1. Thus 
the mapping z i— > /(z) mod p'^^ could be considered as a reduction modulo of 
the compatible and ergodic mapping w: Zp — > Z^; the latter mapping is uniformly 
differentiable everywhere on Zp. Hence the assumptions of theorem 3.4 of [Ki] are 
satisfied. We omit further details. 

We recall that a linear complexity 'ifpiS) of the sequence S = {si : i = 0, 1, 2, . . .} 
over a field F is the smallest n G N such that every n succesive members of the 
sequence satisfy some non-trivial linear relation of length n + I, i.e., there exist 
ao, ai, . . . , On, not all equal to 0, such that aQSi+aiSi+i + - ■ • + a„Si+„ = for all i = 
0, 1, 2, . . .. In this case we also say that the polynomial ao -I- aix + ■ ■ ■ + anX^^ £ P[x] 
annihilates S ^. In other words, linear complexity is just a degree of the minimal 
polynomial of S (the minimum degree nonzero polynomial that annihilates S; a 
polynomial g{x) € F[x] annihilates S iff the minimal polynomial of 5 is a factor of 
g{x) — see e.g. [17] or [24] for references). In case F — Z/p is a field of p elements 
we use for linear complexity over F the notation 5'p rather than 5'z/p- 

Linear complexity is one of crusial for cryptography properties: Pseudorandom 
generators that produce sequences of low linear complexity are not secure, since 
having relatively short segment of output sequence and solving a corresponding 



polynomial that annihilates S is also called a characteristic polynomial of the sequence S. 
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system of linear equations over F a cryptoanalyst could find ao, ai, . . . , a„ and thus 
predict with probability f the rest of the members of the sequence. Of course, high 
linear complexity per se does not guarantee security. 

5.3. Theorem. The linear complexity of the j*^ coordinate sequence Sj is 
exactly 2^ + 1. 

We need the following lemma: 

5.4. Lemma. Let p be a prime, and let S be a purely periodic sequence over Z/p 
of period length exactly p^^^. Then '^p(S) > p^ . 

Proof of lemma 5.4- Since p'~^^ is the length of the period of the sequence S, the 
polynomial x^^^^ ~ 1 over a field Z/p annihilates S. Yet a;^^^^ — 1 = (x — 1)^^^^ 
thus, the minimal polynomial m(x) of S is of the form (x — 1)'', where r < pP^^. 
However, the polynomial x^^ — 1 = (.t — 1)^*^ does not annihilate S, since otherwise 
the length of some period of 5 is a factor of p^; yet S has no periods of length 
less than p'~^^ (see definition 2.4). Hence, degm(x) = r > p' , since otherwise the 
polynomial {x — 1)^^ annihilates S. □ 

Proof of the theorem 5.3. Since Si+2J = Si + 1 (mod 2) for all i = 0, 1, 2, . . . (see 
5.1), the congruence Si+i+2J + Si+2J + Si+i +5; =0 (mod 2) holds for all i = 
0, 1,2,.. .. Hence, the polynomial + x^^ + x + 1 ~ {x + 1)^^+^ annihilates the 

j'^ coordinate sequence Sj — {sq, si, . . . }. Now the assertion of 5.3 follows from 

5.4. □ 

Theorem 5.3 could be generalized to the case of output sequences of wreath 
products of automata. Namely, the following proposition holds. 

5.5. Proposition. Let S = {si: i = 0, 1,2, . . .} be any of the sequences lAn, 
yVn, y-n, and Z defined, respectively, in 4-3, 4-5, 4-6, 4-Ty and 4-10. Then the linear 
complexity of the (n— I)"' coordinate sequence 6n-i{S) = {(5„_i(si) : i = 0,l,2,...} 
exceeds 2"~^. 

Proof. Since the period length of the sequence 5n-i{S) is 2"£, where 1 — 2™ for 
S G {UmXn}, OT £ = m otherwise (see corresponding statements), the polynomial 
u{x) = — 1 = (.T^ — 1)^ annihilates (5„_i(5). Thus, the minimal polynomial 
m(x) of (5„_i(5) is a factor of u{x). On the other hand m{x) is not a factor of 
w{x) = (.T^ — 1)^ since otherwise the sequence (5„_i(5) has period of length 2"~^£; 
however, this is impossible since the second half of the period of length 2"i of this 
sequence is a bitwise negation of the first half, see 4.11. Since both polynomials u{x), 
w{x) have the same set of roots in their splitting field, at least one of these roots is 
a root of m{x) with multiplicity exceeding 2"~^. Thus, degm(a;) > 2"~^. □ 

Speaking formally, proposition 5.5 holds for £ = 1 either, turning into theorem 
5.1 in this case. Thus, we may say that the estimate of \E'2(i5n-i('5)) given by 
proposition 5.5 is sharp. However, it could be improved for particular classes of £. 
For instance, if ^ = 2™, i.e., if 5 X,,, then ^2{S„-i{S)) = 2"-^^ + 1 in view of 
note 4.5 and theorem 5.3. Also, if £ = 2^mi, where mi is odd, then the proof of 
proposition 5.5 shows that \E'2((5n-i('5)) > 2""^+*^ in this case. 

So it seems possible to improve significantly the estimate of linear complexity 
that gives proposition 5.5 for various classes of wreath products described by 4.3, 
4.5, 4.6, 4.7, and 4.10, i.e., for arbitrary £ > 1. To do this now we have to run 
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a bit ahead and to use theorem 5.10, which is proved further. With the use of 
this theorem, the general case could be reduced to the case £ > 1 odd. Namely, 
in view of theorem 5.10, every purely periodic binary sequence of period length 
2"£, n > 1, such that the second half of the period of this sequence is a bitwise 
negation of the first part of the period, could be considered as (n — 1)'^ coordinate 
sequence of a certain wreath product of automata that is described by theorem 4.10. 
Thus, if ^ = where mi odd, this sequence in view of theorem 5.10 could be 

considered as (n — 1 + A;)*'' coordinate sequence of a suitable wreath product of 
automata mentioned in theorem 4.10 for m = mi odd. So we can assume that £ is 
odd. 

Proceeding with this note and using the congruence (5,i_i(s.j+2"-i^) = <5„_i(si) + l 
(mod 2) (see 4.11) we obtain that the minimal polynomial to„_i(x) of the sequence 
<5„_i(5) is a factor of the polynomial 

+ .t2""^ + X + 1 = 

ix' + if'-' [X + 1) = (x^-1 + • • • + X + If"'' (.T + lf"''+\ 

Thus, the root of multiplicity > 2"~^ of the proof of 4.11 is 1 (since the polynomial 
+ • • • + a; + 1 is a factor of — 1; yet x^ — 1 has no roots of multiplicity > 1 
in its splitting field, as £ is odd). Hence, 

(5.5.1) m„_i(x) = t>(x)(a; + l)2""'+\ 
where v{x) is a factor of {x^^^ + ■ ■ ■ + x + 1)^" ^ . Thus, 

(5.5.2) 2"-i£+ 1 > degm„_i(x) = *2(^n-i(5)) > 2"-^ + 1. 

We shall show now that for n > 1 the both bounds are sharp. 

Consider a finite sequence T of length 2"'~^£ consisting of gaps and runs (alter- 
nating blocks of O's and I's) of length 2"^~^ each. Take this sequence as the first 
half of a period of a sequence S' , and take a bitwise negation T of T as a second 
half of a period of S' (of course T = (T) xor(2^ ^ ~ 1); where we consider T as a 
base-2 expansion of a suitable rational integer 7„_i > 0). Obviously, S' is a purely 
periodic sequence of period length 2"£, and the second half of its period is a bitwise 
negation of the first half. Thus, as it is shown by theorem 5.10, the sequence S' 
could be outputted as (n — 1)*'^ coordinate sequence of a suitable wreath product 
of automata, which is described by theorem 4.10. Yet obviously S' is a sequence of 
gaps and runs of length 2"~^ each; thus, the exact period length of the sequence 
S' is 2". So linear complexity of S' is 2"~^ + 1 (see the proof of theorem 5.3). 

Now we prove that the upper bound in (5.5.2) is also sharp. Consider a sequence 
U of gaps and runs of length 2"^^ each, and a purely periodic sequence V with period 
of length 2"~^£; let this period consists of a run of length 2"'~^{£ — 1) followed by 
a gap of length 2"~^. Let mu{x),m\}(x) be minimal polynomials of corresponding 
sequences. 

Since U is a purely periodic sequence with period length exactly 2", and a sec- 
ond half of its period is a bitwise negation of the first half, a polynomial nii (x) = 
x^ '^^ + x"^ + X + 1 = {x + if '^^ annihilates U (see the argument above); 
so mu{x) is a factor of mi{x). However, the first 2"~^ overlapping (2"~^)-tuples 
considered as vectors of dimension 2"^^ over a field Z/2 are obviously linearly 
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independent. Thus, degmu{x) > 2" ^ (see [24. Theorem 8.51]). Finally we con- 
clude that mn{x) = mi{x). A similar argument proves that my(x) = x^ (^-i) 

Now consider a sum TZ of these two sequences, i.e., TZ = UxorV. Obviously, 
mu{x) and mv(x) are coprime, since 1 is the only root of rau{x), yet 1 is not a 
root of my (a;) (recall I odd). Thus, mu{x) ■ mv(x) is the minimal polynomial of TZ 
(see [24, Theorem 8.57]). Hence ^'2(7^) = 2"-i£+ 1. 

Since £ is odd, TZ is obviously a purely periodic sequence of period length ex- 
actly 2"'£, and the second half of the period is a bitwise negation of its first half. 
Consequently, TZ is the (n — 1)*'^ coordinate sequence of a suitable wreath product 
of automata, which is described by theorem 4.10 (see 5.10). 

As a bonus we have that the exact period length P of the (n — 1)**^ coordinate 
sequence i5„_i(5) for odd £ is a multiple of 2": Since x^ -\- \ annihilates 5n-i{S), 

mn-i{x) is a factor of x^ + 1. Yet + 1 = (x" + 1)^* = {x + lf^x"-^ H hl)^', 

where P = 2*s, s odd, and 1 is not a root of x^^^ + • • • + 1 since s is odd. Thus, 
necessarily 2* > 2"^^ 4- 1 in view of (5.5.1). Hence, t > n. So we conclude that 
P = 2"s; yet P < 2"£ since the output sequence Z mod 2" is purely periodic 
of period length exactly 2"i (see 4.10). Thus, P = 2"s, where 1 < s < £. As 
demonstrate examples of sequences S' and TZ, both extreme cases s ~ 1 and s ~ t 
are possible. 

We summarize the above considerations in the following 

5.6. Theorem. Let Zj, j > 0, be the j*'' coordinate sequence of a wreath product 
of automata (described by any of 4.3, 4.5, 4.6, 4.7, and 4.10: thus Zj is a purely 
periodic binary sequence of period length 2^+^f , where £ = 2™ for wreath products 
described by 4.3 or 4.5, and £ — m otherwise). Represent £ = 2'^>, where r is 
odd. Then the exact period length of Zj is 2'^'*"-'+^s for some s £ {1, 2, . . . , r}, and 
both extreme cases s = 1 and s — r occur: for every sequence si, S2, . . . over a set 
{l,r} there exists a wreath product of automata such that the period length of the 
j*'' coordinate sequence of its output is exactly 2^''^^~^^Sj, {j = 1,2,...). 

Moreover, a linear complexity 4*2 (2j) of the sequence Zj satisfies the following 
inequality: 

+ 1 < ^2{Zj) < 2'^+^r + 1. 

Both these bounds are sharp: For every sequence ti,t2, . . . over a set {l,r} there 
exists a wreath product of automata such that the linear complexity of the j*^ coor- 
dinate sequence of its output is exactly 2'''^Hj + 1, (j = 1,2,...). 

Proof. Nearly everything is already done by the preceeding arguments. We only 
note that in view of mentioned theorem 5.10, we can choose coordinate sequences 
independently one of another. That is, for each sequence of purely periodic binary 
sequences Zi, Z2, . . . , such that period length of the j**^ sequence Zj {j = 1,2,...) 
is 2^~^^£, and the second part of this period is a bitwise negation of the first part, 
there exist a wreath product of automata, that satisfies 4.10, and such that the j^^ 
coordinate sequence of its output is exactly Zj for all j = 1, 2, . . .. □ 

With the use of theorem 5.1 it is possible to estimate two other measures of 
complexity of the coordinate sequence, which were introduced in [10]: namely, 2- 
adic complexity and 2-adic span. Whereas linear complexity (also known as linear 
span) is the number of cells in a linear feedback shift register outputting a given 
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sequence S over Z/2, the 2-adic span is the number of ceUs in both memory and 
register of a feedback with carry shift register (FCSR) that outputs S, and the 
2-adic complexity estimates the number of cells in the register of this FCSR. To 
be more exact, the 2-adic complexity $2(5) of the (eventually) periodic sequence 
S ~ {sq, si, S2, ■ ■ ■} over Z/2 is log2($(u, w)), where $(ii,w) = max{|u|, and 
^ G Q is the irreducible fraction such that its 2-adic expansion agrees with S, 
that is, ^ = So + si2 -I- 522^ -|- • • • G Z2. The number of cells in the register of 
FCSR producing S is then [log2($('ii, w))] , the least rational integer not smaller 
than \og2{^{u,v)). Thus, we only need to estimate <I>2('5). 

5.7. Theorem. Let Sj = {so, si, S2, ■ ■ ■} be the j*'' coordinate sequence, its 2- 
adic complexity <f>2(5j ) is log2 ( — tt^ttt^TTT ) ^ where 7 = so + si2 4- 522^ + • • • + 

\gca(2- -|-i,7-!-i)/ 

323-1^ 

Note. We note that 7 is a non- negative rational integer, < 7 < 2^' — 1; also we 
note that for each 7 of this range there exists an ergodic mapping such that the 
first half of the period of the j'^ coordinate sequence of the corresponding output 
is a base-2 expansion of 7 (see 5.9). Thus, to find all possible values of 2-adic 
complexity of the j^^ coordinate sequence one has to decompose the j'^ Fermat 
number 2^^ +1. It is known that j"^ Fermat number is prime for < J < 4 and 
that it is composite for 5 < j < 23. For each Fermat number outside this range 
it is not known whether it is prime or composite. The complete decomposition of 
jth Yevmai number is not known for j > 11. Assuming for some j > 2 the j*'^ 
Fermat number is composite, all its factors are of the form ^2-^+2 _|_ \^ ggg g.g. [I.5] 
for further references. So, the following bounds for 2-adic complexity $2(5^) of the 
j^^ coordinate sequence Sj hold: 

i + 3< ra>2(5,)l <2^ + i, 

yet to prove whether the lower bound is sharp for a certain j > 11, or whether 
1^2(3 could be actually less than 2^ + 1 for j > 23 is as difficult as to decompose 
the j*^ Fermat number or, respectively, to determine whether the j*^ Fermat number 
is prime or composite. 

Proof of theorem 5.7. We only have to express so-f si2 + S222 + . . . as an irreducible 
fraction. Denote 7 = sq + si2 + 522^ + • • • + S2i -12"^' ■ Then using the second 
identity of (2.0.2) we in view of 5.1 obtain that so-|-si2+S222 + - • -+52^+1-122^^ = 
7 -I- 22' (22^' - 7 - 1) = 7' and hence so + Si2 + S222 • • • = 7' + 7'22'+' + 7'22-2'+' + 
7'2'^'2^+ + . . . = -^r^ — 1. This completes the proof in view of the definition of 
2-adic complexity of a sequence. □ 

5.8. Note. Similar estimates of ^2{Sn-i{S)) could be obtained for the sequence 
S e {Wn, yn, 2} of 4.6, 4.7, and 4.10, respectively (for S € {Un, Xn} of 4.3 and 4.5 
this estimate is already given by 5.7 in view of 4.5). In view of 4.11 the argument 
of the proof of 5.7 gives that the representation of the binary sequence i5„_i(5) 
as a 2-adic integer is .,„Tt^ 1, so we have only to study a fraction .,„Zj"^ — , 

where 7 = so -I- Si2 -I- S222 -f • • • + S2n-im-i22 ""-i^ and m is of statements of 
4.6, 4.7, and 4.10. Representing m ~ 2^mi with mi > 1 odd, we can factorize 
22""" + 1 ^ (22""+' + i)(22"-^+''(™i-i) _ 22""+'"(™i-2) + . . . - 22""+' + 1), but 
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the problem does not become much easier because of the first multiplier. We omit 
further details. 

Both theorems 5.3 and 5.7 show that all three measures of complexity of a 
sequence (linear and 2-adic spans and 2-adic complexity) arc not too sensitive. 
For instance, assuming f{x) = x + 1 to be a state transition function and to 
be an initial state of the automaton 21', we see that values of both linear and 2- 
adic complexity of the j'^ coordinate sequence Sj of this automaton depend on j 
exponentially: ^'2(5,) = ^2{Sj) = 2^ +1. However, in this case Sj is merely a 
sequence of alternating blocks of O's and I's of length 2^ each. 

Looking through the proofs of the corresponding theorems it is easy to observe 
that such big figures for linear and 2-adic complexity in the above example are due 
to a very simple law the j*'^ coordinate sequence obeys: The second half of the 
period is the bitwise negation of the first half (see 5.1, 4.11). This means that, 
intuitively, the j'^ coordinate sequence is as complex as the first half of its period. 
Thus we have to understand what sequences of length 2-' could be outputted as the 
first half of the period of the j*'^ coordinate sequence, that is, what values takes 
the rational integer 7 of 5.7. 

In other words, let 7j(/, ^) G No be such a number that its base-2 expansion 
agrees with the first half of the period of the j'^ coordinate sequence produced by 
the automaton 21^-, i.e., let 

7,(/, z) = S,if^°Hz)) + 2<5,(/(i)(z)) + 45,(/(2)(z)) + • • • + 9y-'6,{f^''-'Hz)). 

Obviously, < jj{f,z) < 2^^ — 1. A natural question arises: 

Given a compatible and crgodic mapping / : Z2 ^ Z2 and a 2-adic integer z G Z2 , 
what infinite string 70 = lo{f,z),ji = 7i(/, z),72 = 72(7,2),... (where 7^- G 
{0, 1, . . . , 2^' - 1} for j = 0,1,2,...) could be obtained? 

The answer is: any one. 

Namely, the following theorem holds. 

5.9. Theorem. Let T = {7^ G No: j = 0,1,2,...} be an arbitrary sequence of 
non-negative rational integers that satisfy < 7j < — 1 for j = 0,1,2,... , 
then there exist a compatible and ergodic mapping /: Z2 — > Z2 and a 2-adic integer 
z G Z2 such that Sj(z) = (5o(7j), (5o(/'*''(^)) = 7o + * (mod 2), and 

Llog2 «J 



J,(/«(^)) = '5„„„d2.(7,)+ i^^l (mod 2) 
for all i,j G N. 

Note. The sequence | mod 2: i = 1,2,...| is merely a binary sequence 

of alternating gaps and runs (i.e., blocks of consequtive O's or I's, respectively) of 
length 2-' each. 

Proof of theorem 5.9. Put z = 20 = '^7=0 ^o(7j)2-' and 

Llog2 i\ 



(70 + i) mod 2 + ^ [ [S^mod 21 il]) 



mod 2 • 2^ 



for i = 1, 2, 3, . . . . Consider a sequence Z = {zi : z = 0, 1, 2, . . .}. Speaking infor- 
mally, we are filling a table with countable infinite number of rows and columns 
in such a way that the first 2^ entries of the j*^ column represent 7^ in its base-2 
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expansion, and the other entries of this column are obtained from these by apply- 
ing recursive relation of theorem 5.1. Then each i^^ row of the table is a 2-adic 
canonical representation of Zi £ Z. 

We shall prove that Z is a dense subset in Z2, and then define f on Z in such 
a way that / is compatible and ergodic on Z . This will imply the assertion of the 
theorem. 

Proceeding along this way we claim that Z mod 2*= = Z/2'' for aU k = 1,2,3,.. ., 
i.e., a natural ring homomorphism mod 2'^ : z t-^ z mod 2*^ maps Z onto the residue 
ring 2/2*^. Indeed, this trivially holds for fc = 1. Assuming our claim holds for 
k < m we prove it for k = m. Given arbitrary t S {0, 1, . . . , 2™ — 1} there exists 
z, e Z such that z, = t (mod 2™"!). If z,; ^ t (mod 2™) then (5™-i(2j) = '5m-i(0 + 
1 (mod 2) and thus (5,„_i(zj^2™-0 = '5„,_i(t) (mod 2). However, Zi_|_2m-i = 
(mod 2™-i). Hence 2^+2^-1 = t (mod 2™). 

A similar argument shows that for each k E N the sequence {zi mod 2'"' : i = 
0, 1,2,.. .} is purely periodic with period length 2*^, and each t g {0, 1, . . . , 2*^ — 1} 
occurs at the period exactly once (in particular, all members of Z are pairwise 
distinct 2-adic integers). Moreover, i = i' (mod 2*^) iff z,; = Zi' (mod 2^^). Conse- 
quently, Z is dence in Z2 since for each t £ Z2 and each fc G N there exists Zi G Z 
such that \\zi — t\\2 < 2~'^. Moreover, if we define f{zi) = z^+i for all i = 0, 1, 2, . . . 
then \\f{z,)-f{z,,)\\2 = \\z.,+i-z,,+i\\2 = ||(^ + l)-(^' + l)||2 = \\t-t'h = lk^-^^'l|2. 
Hence, / is well defined and compatible on Z; it follows that the continuation of / 
to the whole space Z2 is compatible. Yet / is transitive modulo 2'^ for each fc S N, 
so its continuation is ergodic. □ 

Theorem 5.9 could be extended to coordinate sequences of wreath products of 
automata (see Section 4), i.e., to the sequences Sj{Z) ~ {5j{xi): i = 0,1,2,...}, 
where Z = {xi : i = 0, 1, 2, . . .} is a recurrence sequence over Z2 defined in 4.10. 
Speaking loosely, each Erst half of a period of each i'* {i > 1) coordinate sequence 
of wreath products of automata could be arbitrary and independent of others. Now 
we give a formal statement and a proof of it. 

Recall that Sj{Z) is a purely periodic binary sequence of period length 2-'+^m, 
and the second half of the period is a bitwise negation of its first half, see 4.11. 
Thus, the sequence Sj{Z) could be identified with a rational number (which will be 
denoted by the same symbol 5j{Z)) such that its canonical 2-adic representation is 
Sj{xo) + 6j{xi)2 + 5j{x2)2'^ + . . . . Hence in view of note 5.8, 

(5.9.1) — ^=5j{Z), 

where 7j — 5j{xo) + 5j{xi)2 + 5j{x2)2'^ + • • • + (5j(a;2im-i)2^^'"^^, and m and Xi 
are of the statement of 4.10. In other words, 7^ € Nq is such a number that 
its base-2 expansion agrees with the first 2^m terms of the sequence {5j(xi): i = 
0, 1,2,.. .}, where x^+i = g.^ mod mixi), and G = {go, . . . , is a finite sequence 

of compatible measure preserving mappings of Z2 onto itself, see 4.10. Thus, 7^ € 
{0, 1, . . . , 2^^™ — 1}, and 7^ depends on xo and on Q. Yet an arbitrary purely periodic 
sequence of period length 2-'+^m such that the second half of its period is a bitwise 
negation of the first half (the latter could be considered as a base-2 expansion of 
rational integer 7^), being treated as a 2-adic reresentation of a rational number 
could be represented as (5.9.1) (see the proof of 5.8). So we wonder what sequences 
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of such kind could be represented by coordinate sequences of wreath products of 
automata described by theorem 4.10. 

In other words, to each sequence Z described by theorem 4.10 we associate a 
sequence r(Z) = {70, 71, . . .} of non-negative raional integers 7^ such that < 7j < 
2^^™ — 1 iff (5.9.1) holds for all j = 0, 1, 2, . . .. Now we take an arbitrary sequence 
r of this type and wonder whether this sequence could be associated to some 
sequence Z described by theorem 4.10. Generally speaking, the answer is no, since 
according to 4.10 the sequence (5o(.F) is purely periodic with period length exactly 
2m. However, a purely periodic sequence S of period length 2"m such that the 
second half of its period is a bitwise negation of the first half, i.e., such that S could 
be represented in a form (5.9.1) as 5 = for suitable < 70 < 2^™ - 1, not 

necessrily has exact period length 2"m (see note 4.11). However, according to 4.11, 
senior coordinate sequences Sj{Z) (j > 1) could have exact periods smaller than 
2^~^^m. So it is reasonable to ask whether an arbitrary sequence T = {71,72, • • •} 
of non-negative rational integers such that < 7j < 2^^"' — 1 corresponds in the 
above meaning to a certain sequence Z described by theorem 4.10. In this case the 
answer is yes. Namely, the following theorem holds. 

5.10. Theorem. Let m > \ be a rational integer, and let T — {70,71, • ■ • } he an 
arbitrary sequence over No such that G {0, 1, . . . , 22''" - 1} for all j = 0, 1, 2, ... . 
Then there exist a finite sequence Q = {go, • ■ • , <?m-i} 0/ compatible measure pre- 
serving mappings 0/Z2 onto itself and a 2-adic integer xq € Z2 such that Q satisfies 
conditions of theorem 4-10, and Sj{Z) satisfies (5.9.1) for all j — 1,2,..., where 
the recurrence sequence Z = {xq, Xi, . . . G Z2} is defined by the recurrence relation 

*^?'+l — 9i mod m(*^z)? (^ — 0, 1, 2, . . . ). 

Proof. According to 3.13, a mapping gi: TL-j —* Z2 is compatble and measure 
preserving iff each 5j{gi{x)) is a Boolean polynomial in Boolean veriables xo = 
So{x),xi = Si{x), . . . that is linear with respect to Xji i-S-, Sj{gi{x)) could be rep- 
resented as 

Sjigtix)) = xj + ^){xo, ■ ■ • ,xj-i), 

where (^^ = </5* (xo, • ■ • , Xi-i) is an arbitrary Boolean polynomial in Boolean vari- 
ables xoj---iXj-i- Thus, a compatible and measure preserving mapping gi is 
completely determined by a sequence ip\i,ip\^ . . . of corresponding Boolean poly- 
nomials. So, given a sequence T we have to determine xq e No and a family 
{tp* : z = 0, 1, . . . , TO — 1; J = 0, 1, 2, . . .} of Boolean functions such that the respec- 
tive measure preserving mappings gk {k = 0,l,...,m — 1) satisfy theorem 4.10 
and that 5j{Z) satisfies (5.9.1) for all j = 1,2, . . . , where the recurrence sequence 
Z = {xq,xi, . . . G Z2} is defined by the recurrence relation Xi+i = giniodm{xi), 
(i = 0,l,2,...). 

To start with, we set xq = ^0(70) + <5o (71 ) ■ 2 -I- ^0(72) • 2^ + • • • G Z2. Further we 
describe an inductive procedure to determine successively for j=0,l,2.. . . . 

For j = we fix arbitrary go[Q) = ip^, . . . , 5m_i(0) = <y9™^^ G {0, 1} that satisfy 
conditions (1) and (2) of theorem 4.10. Note that thus we have determined all the 
mappings gi (i = 0, 1, . . . , to — 1) modulo 2. Note also that a recurrence sequence 
= {^JJ, $0' • ■ • } defined by relations = a;o mod 2, ^^^^ = gk mod m(Cfc) mod 2 
is a purely periodic sequence over Z/2 = {0, 1} with period length exactly 2to, that 
each element of Z/2 occurs at the period exactly m times, and that C^^^ = -I- 1 
(mod 2) (see the very beginning of the proof of 4.7). 
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Suppose that we have aheady determined Boolean polynomials cpj for j = 
0, l,...,7i — 1, i ~ 0, l,...,m — 1 in such a way that all the members of a recur- 
rence sequence Xn-i = {Co ^"""'^i • • • } defined by relations Co ~^ ~ mod 2", 
^k+l = 5femodm(Cr^) mod 2", satisfy a congruence (Jj (Cfc+2„-i^) = SjiC^^) + 1 
(mod 2) for all j = 0, 1, . . . , n — 1 and fc = 0, 1, 2, . . .. Note that then easy induction 
on j (which actually is already done during the proof of claim (3) of lemma 4.7) 
shows that for any k 

(5.10.1) \{C^-l^:s = Q,l,...,2--l}\ = 2\ 

Hence, Xn-i is a purely periodic sequence over Z/2" of period length exactly 2"to, 
with each element of Z/2" occuring at the period exactly m times. Now we define 
Boolean polynomials (fil^ for i = 0,l,...,m— 1. 

For a Boolean polynomial tp in Boolean variables Xoj---jXs and for z S Z2 
denote ^(z) = ip{So{z), . . . ,Ss{z)). Proceeding with this notation, set 

(5.10.2) ^f,-°d'»(eri)EE4(7n) + 4+i(7n) (mod2), 
for fc = 0, 2, . . . , 2"to - 2. Set also 

(5.10.3) V^n-\^2^-^-i) ^ ^2"™-i(7«) + Sohn) + 1 (mod 2). 

Note that in view of (5.10.2) and (5.10.1) the Boolean functions ip^^ of n variables 
(and whence, corresponding Boolean polynomials) for i = 0, l,...,m — 2 are well 
defined; Also, the Boolean polynomial (^"'^^ is well defined in view of (5.10.3), 
(5.10.2), and (5.10.1). 

Consider now a recurrence sequence £„ = {sk ■ fc = 0, 1, 2, . . . } over Z/2 defined 
by relations Eq = (So(7n), Sk+i =£k + "(Cfe^^) (mod 2). In view of (5.10.2) 

one has Sk = 4(7n) for fc = 0, 2, . . . , 2"to — 1, and e2"m = ^o(7n) + 1 (mod 2) in 
view of (5.10.3). Yet Xn-i is a purely periodic sequence over Z/2" of period length 
exactly 2"to; proceeding with this we obtain succesively in view of (5.10.3) and 
(5.10.2): 

£2"m = '5o(7„) + 1 (mod 2), e2"m+(2"m-l) = <52"m-l(7ri) + 1 (mod2), 

£2-2"m = <^o(7rO (mod2), e2.2"m+(2"m-l) = <^2"m-l(7n) (mod2), 

£3-2"m = (^o(7n) + 1 (mod2), ... 

Note that in view of the definition of Ek one has 

2"m-l 

£2",n=<5o(7n)+ E ^'"""""(^r')- 

But the sum in the right hand side must be 1 modulo 2 since £2"m = So{"fn) + 1 
(mod 2), as it was proved above. So, in view of (5.10.1) one has 

2"m — 1 m — 1 

E ^^'"°'"^(er')^ E E ^«(o^i (mod 2). 

k=0 i=0 46Z/2" 

With the note that X]jgz/2" fniO is just a weight of a Boolean polynomial <p^, we 
conclude that an odd number of Boolean polymomials of , . . . , <^™~^ must be of 
odd weight (cf. conditions of lemma 4.7). 
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Now setting = + 2" • Sk for fc = 0, 1, 2, . . . wc obtain a sequense Xn = 
{Co I ^iT--} O'^^r Z/2"+^ such that members of satisfy the foUowing relations 

'5,(Cfe+2",n)^'5,(4") + l (mod 2) 

for aU 7 = 0, 1, . . . , n and A; = 0, 1, 2, . . .. Moreover, Xn is a pm'cly periodic sequence 
with period length 2""'"^7n (in view of the third of preceeding congruences, since 
the sequence Xn-i is purely periodic with period length exactly 2"m by the above 
assumption), and each element of Z/2"+^ occurs at the period exactly 2"+^m times. 

Finally, (5„(A'„) = {eo,ei, ■ ■ ■} = 2^"^^+! ■ 

With the use of this inductive procedure we construct for n = 1,2,... well 
defined mappings gi modulo 2"+^ (i = 0, 1, . . . , m — 1) that are compatible and 
bijective modulo 2"+^; moreover, a corresponding recurrence sequence Xn defined 
by relation Xi+i = g.; mod m(a;i) mod 2"+^ satisfy (5.9.1) for j = l,...,n. The 
mappings gi satisfy condition (3) of 4.10 for k = 1, 2, . . . , ?i + 1 since, as it was 
noted above, the odd number of Boolean polymomials of tp^, . . . , 'p^~^ are of odd 
weight for all = 1, 2, . . . , n. From the definition of gi modulo 2 it follows that 
these mappings gi satisfy conditions (1) and (2) of 4.10. This completes the proof 
in view of the notices that were made at the very beginning of it. □ 

Distribution of fc-tuples. In this subsection we study a distribution of overlap- 
ping binary fc-tuples in output sequences of automata introduced above. As it 
was shown, an output sequence of any of these automata with output alphabet 
{0, 1, 2, . . . , 2" — 1} = Z/2" is strictly uniformly distributed as a sequence over 
Z/2". That is, it is purely periodic, and each clement of Z/2" occurs at the period 
the same number of times. However, one could consider the same sequence as a bi- 
nary sequence, and ask what is a distribution of n-tuples in such a sequence. Strict 
uniform distribution of an arbitrary sequence T as a sequence over Z/2" does not 
necessarily imply uniform distribution of overlapping n-tuples, if tliis sequence is 
considered as a binary sequence! 

For instance, let T be the following strictly uniformly distributed sequence over 
Z/4 with perid length exactly 4: T = 023102310231 . . .. Then its representation as 
a binary sequence is T = 000111100001111000011110 . . . (recall that according to 
our conventions in Section 2 we write senior bits right, and not left; i.e., 2 = 01, 
1 = 10, etc.) Obviously, when we consider T as a sequence over Z/4, then each 
number of {0, 1, 2, 3} occurs in the sequence with the same frequency j. Yet if we 
consider T as a binary sequence, then 00 (as well as 11) occurs in this sequence with 
frequency |, whereas 01 (and 10) occurs with frequency ^. Thus, the sequence T 
is uniformly distributed over Z/4, and it is not uniformly distributed over Z/2. 

In this subsection we show that such an effect does not take place for output 
sequences of automata described in 4.3, 4.5, 4.6, 4.7, and 4.10: Considering any of 
these sequences as a binary sequence, a distribution of k-tuples is uniform, for all 
k < n. Now we state this property more formally. 

Consider a (binary) n-cycle C = (eoEi . ■ .£n-i); that is, an oriented graph with 
vertexes {oq, ai, . . . , a„_i} and edges 

{(ao,ai), (ai, 02), . . . , (a„_2,a„_i), (a„_i,ao)}. 
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where each vertex aj is labelled with Sj E {0, 1}, j = 0, 1, . . . , n — 1. (Note that 
then (eoei . . . £„-i) = (en-i£o ■ • • en-2) = ■ • ■, etc.). 

Clearly, each purely periodic sequence S over Z/2 with period ao...a„-i of 
length n could be related to a binary n-cyclc C{S) = (ao . . .a„_i). Conversly, to 
each binary n-cycle {ao ■ ■ ■ ctn-i) we could relate n purely periodic binary sequences 
of period length n: They are n shifted versions of the sequence 

ao.. . q;„_iQ!o . . . a„_i . . . , 

that is 

ai . . . Un-iaoai . . . a„_iQ;o ■ • ■ , 

"2 ■ • ■ an-iaoaia2 . • . q;„_iQ;oQ!i . . . , 

a„_iaoQ;ia2 . . . Q;„_2Q!„_iaoaia2 ■ • ■ "71-2 ■ ■ • 

Further, a k-chain in a binary n-cycle C is a binary string (3q . . .fik-i, k < n, 
that satisfies the following condition: There exists j g {0, 1, . . . , 71 — 1} such that 
j3i = £{i+j) mod n for i = 0, 1, . . . , — 1. Thus, a /c-chain is just a string of length k 
of labels that corresponds to a chain of length k in a graph C. 

We call a binary n-cycle C k-full, if each fc-chain occurs in the graph C the same 
number r > of times. 

Clearly, if C is fc-fuU, then n = For instance, a well-known De Bruijn 

sequence is an n-fuU 2"-cycle, see e.g. [25] for further references. Clearly enough 
that a fc-fuU n-cycle is (fc — l)-full: Each {k — l)-chain occurs in C exactly 2r times, 
etc. Thus, if an n-cycle C{S) is fc-full, then each m-tuple (where 1 < m < fc) 
occurs in the sequence S with the same probability (limit frequency) That is, 
the sequence S is k- distributed, see [2, Section 3.5, Definition D]. 

5.11. Definition. A purely periodic binary sequence S with period length exactly 
N is said to be strictly k-distributed iff a corresponding A^-cycle C{S) is fc-full. 

Thus, if a sequence S is strictly fc-distributed, then it is strictly s-distributed, 
for all positive s < k. 

A fc-distribution is a good "indicator of randomness" of an infinite sequence: The 
larger fc, the better the sequence, i.e., "more random". The best case is when a se- 
quence is fc-distibuted for all fc = 1,2,.... Such sequences are called 00-distributed. 
Obviuosly, a periodic sequence can not be cx)-distributed. 

On the other hand, a periodic sequence is just an infinite repetition of a finite 
sequence, the period. A common requirement in applications is that the period 
length must be large, and the whole period is never used in practice. For instance, 
in cryptography normally a relatively small part of a period is used. So we are 
interested of "how random" is a finite sequence, namely, the period. Of course, 
it seems very reasonable to consider a period of length n as an n-cycle and to 
study a distribution of fc-tuples in n-cycle; for instance, if this n-cycle is fc-full, the 
distribution of fc-tuples is strictly uniform. However, other approaches also exist. 

In [2, Section 3.5, Definition Ql] there is considered the following "indicator 
of randomness" of a finite sequence over a finite alphabet A (we formulate the 
corresponding definition for A ~ {0, 1}): A finite binary sequence £o£i . . .£w-i of 
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length TV is said to be random, iff 
(5.11.1) K/?o.../^.^0 1 



N 2^ 



1 

< 

'N 



for all < fc < log2 N , where ^(/3o ■ • ■ Pk-i) is the number of occurences of a binary 
word f3o ■ ■ ■ Pk-i in a binary word eo£i ■ • ■ ^at-i- If a finite sequence is random in a 
sence of this Definition Ql of [2], we shall say that it has a property Ql, or satisfies 
Ql. We shall also say that an infinite periodic sequence satisfy Ql iff its exact 
period satisfies Ql. Note that, constrasting to the case of strict fc-distribution, 
which implies strict (fc — l)-distribution, it is not enough to demonstrate only that 
(5.11.1) holds for k — [log2 iVj to prove a finite sequence of length N satisfies Ql: 
For instance, a sequence 1111111100000111 satisfies (5.11.1) for k = [log2 nj = 4, 
and does not satisfy (5.11.1) for fc = 3. Note that an analogon of property Ql for 
odd prime p could be stated in an obvious way. 
Now we are able to state the following 

5.12. Theorem. Let a sequence Z over Z/2"' be any of output sequences of wreath 
products of automata (described in 4.3, 4.5, 4.6, 4.7, and 4.10; hence Z is a purely 
periodic sequence of period length 2"^, where ^ = 2™ for wreath products described 
by 4.3 or 4.5, and £ = m otherwise) or, in particular, of a congruential generator 
of a maximum period length (this corresponds to the case £ = to = 1). Let Z' he a 
binary representation of Z (hence Z' is a purely periodic binary sequence of period 
length exactly 2"£7i). Then the sequence Z' is strictly n- distributed. 

Moreover, if Z' is a binary output sequence of a congruential generator of a 
maximum period length, then this sequence satisfies Ql. 

Proof. The sequence Z = zqzi . . . is a recurrence sequence over {0,1, ...,n — 1} 
that satisfy the following recurrence relation: 

z.+i =/.(^.)mod2" (i = 0,1,2,...), 

where fi is compatible and measure preserving mapping of Z2 onto itself. Here and 
further in the proof we assume that subscript i of / is always reduced modulo i for 
£ > 1 and is empty symbol for £ = 1 (the latter case corresponds to congruential 
generator of a maximum period length with state transition function / mod 2", 
where / is ergodic). Let 2^' = ^oCi • ■ • be a binary representation of the sequence 
Z. Take an arbitrary binary word b = /3q/3i . . . j3j G {0,1}, and for fc € 
{0, 1, . . . , n — 1} denote 

Uk{h) = |{r: < r < 2"£n; r = k (mod n); CrCr+i • --Cr+n-i = PoPi ■ ■ ■ Pn-i}\ 

Obviously, i'o(b) is the number of occurences of a rational integer z with base-2 
expansion /3o/3i . . ■ (3n-i at the exact period of the sequence Z. Hence, i'o(b) = £ 
since the sequence Z is strictly uniformly distributed modulo 2". Now consider 
i/fc(b) for < fc < n. 

Fix fc G {1, 2 . . . , 71 — 1} and let r = fc + tn. As all ft are compatible, then 
CrCr+i ■ ■ ■ Cr+n-1 = PoPi ■ ■ ■ Pn-1 holds if and Only if the following two relations 
hold simultaneously: 

(5.12.1) Qn+kCtn+k+l ■ ■ ■ Ctn+n-1 

(5.12.2) ftiCUtn+l ■ ■ ■ Qn+k-l) = Pn-kPn-k+l ■ ■ ■ Pn-l (mod2'=). 
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Here 7071 . . . 7s = 70 + 7i ' 2 H h 7s • 2Mor 70, 71, . . . , 7,, £ {0, 1} is a rational 

integer with base-2 expansion 7071 ... 7s- 

We consider a case £ = 1 first; so /t = /. Then for a given b = PqPi . . . (3n-i 
congruence (5.12.2) has exactly one solution a^ai . . . ak-i modulo 2*^, since / is 
ergodic, whence, bijective modulo 2*"'. Thus, in view of (5.12.1) and (5.12.2) we 
conclude that CrC^+i . . . Cr+n-i — PgPi . . . I3n-i holds if and only if 

(5.12.3) CsCs+l ■ ■ ■ Cs+n-l = OiQUi . . . ak-lPoPl ■ ■ ■ Pn-k~l, 

where s = tn. Yet there exists exactly one s = (mod n), < s < 2"n such that 
(5.12.3) holds, since every element of Z/2" occurs at the period of Z exactly once. 
We conclude now that if ^ = 1 then i^fe(b) = 1 for all fc G {0, 1, ... ,n — 1}; thus, 
'^(b) = Sj=o ^jC-*) ~ f'^'^ This means that (2"n)-cycle C{Z') is n-fuU, 

whence, the sequence Z' is strictly 71-distributed. 

A similar argument is applied to the case t > 1. Namely, for a given j G 
{0, 1, . . . , ^ — 1} consider those r = k + tn < 2"£n where t = j (mod £) and denote 

i/^(b) = |{r:0<r<2"£n; r = k + tn; t = j (mod f); CrCr+i ■ . . Cr+«-i = b}|. 

Now CrCr+i ■ ■ - Cr+n-i = /3o/3i • • • 1 holds if and only if (5.12.3) holds, where 
aoai . . . ak-i is a unique solution of congruence (5.12.2) modulo 2'^. This solu- 
tion exists since all fj are measure preserving, see theorem 4.10. Yet (5.12.3) is 
equivalent to the condition 

zt = aoai . . . afe_i/3o/3i . . . (3n-k-i, 

where t € {j, j+£, . . . , j-|-(2" — 1)£}. But in view of claim (3) of lemma 4.7 for a given 
aoai . . . ak-iPoPi ■ ■ ■ Pn-k-i there exist exactly one t € {j, j + £,■■■, j + (2" — 1)£} 
such that the latter equality holds. So we conclude that z^^(b) = 1, hence i^fc(b) = 

Yfj=o '^iO^) ~ ^' ^^"^ finally i^(b) = X]fc=o ^fc(t') ~ '^^ ^^r all b. This completes the 
proof of the first assertion of the theorem. 

To prove the second assertion note that we return to the case £ ^ I; hence, in 
view of the first assertion every m-tuple for I < m < n occurs at the 2"n-cycle 
C(Z') exactly 2"~'"n times. Thus, every such m-tuple occurs 2"^™n — c times at 
the finite binary sequence Z = zqZi . . . Z2"-i, where z for z G {0, 1, . . . , 2" — 1} is 
an 71-bit sequence that agrees with base-2 expansion of z. Note that c depends on 
the TTi-tuple, yet < c < tti — 1 for every m-tuple. Easy algebra shows that (5.11.1) 
holds for these m-tuples. 

Now to prove that Z' satisfies Ql we have only to demonstrate that (5.11.1) 
holds for m-tuples with m = n + d, where < d < log2 n. We claim that such an 
m-tuple occurs at the sequence Z not more than n times. 

Indeed, in this case (rCr+i ■ ■ ■ Cr+n+d-i = PoPi ■ ■ ■ Pn+d-i holds iff besides the 
two relations (5.12.1) and (5.12.2) the following extra congruence holds: 

f{C,tnCtn+l ■ ■ ■ Ctn+k-lPoPl . . . Pd-l) = Pn-kPn-k+l ■ ■ ■ Pn+d-l (mod 2'=+'^), 

where k = r mod n. Yet this extra congruence may or may not have a solution 
in unknowns Qn, Ctn+i, ■ Ctn+fc-i; this depends on (3qPi . . . f3„+d-i- But if such 
a solution exists, it is unique for a given k G {0, 1, . . . , n — 1}, since / is ergodic, 
whence, bijective modulo 2* for all 5 = 1,2,.... This proves our claim. Now easy 
exercise in inequalities shows that (5.11.1) holds in this case, thus completing the 
proof of the theorem. □ 
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5.13. Note. The first asssertion of theorem 5.12 remains true for wreath products 
of truncated automata, i.e. for the sequence J- of coroUary 4.12, where Fj{x) = 
[ ^„^_fc J mod 2^^, J = 0, 1, . . . , ^ — 1, a truncation of n — fc low order bits. Namely, a 
binary representation of the sequence J- is a purely periodic strictly k-distributed 
binary sequence of period length exactly 2"^fc. 

The second assertion of theorem 5.12 holds for arbitrary prime p. Namely, a 
base-p representation of an output sequence of a congruential generator over "L/p^ 
of a maximum period length is strictly n-distributed sequence over "L/p of period 
length exactly p^n, which satisfies Ql. 

Moreover, the first assertion of 5.12 holds for truncated congruential generators 
with output function F{x) = [ J mod p'' . Namely, a base-p representation of 
an output sequence of a truncated congruential generator over Z/p" of a maximum 
period length is a purely periodic strictly k-distributed sequence over Z/p of period 
length exactly p^k. 

The second assertion for this generator holds whenever 2 -\- p^ > kp"~'^; thus, 
one could truncate < (§ — logp ^) lower order digits without affecting property Ql. 

All these statements could be proved by slight modifications of the proof of 
theorem 5.12. We omit details. 

6. Some cryptanalysis 

A main goal of this section is to demonstrate that with the use of constructions 
described in Section 4 it is possible to design stream ciphers such that the problem 
of their key recovery is intractable up to some plausible conjectures. 

Consider a "known plaintext" attack. That is, a cryptanalyst obtains a plaintext 
and a corresponding encrypted text and tries to recover a key. Since the encryption 
with stream cipher is just bitwise XORing of a plaintext with a binary output 
sequence of a generator, a cryptanalyst obtains an output sequence and try to 
recover a key. Note that the constructions we considered above enables one to 
make both the initial state, state transition function and output function to be 
key-dependent, so in general a cryptanalst has to recover a key from a known 
recurrence sequence {ysij/s+ij • ■ ■} that corresponds to the recurrence law x^+i = 
/j(a;,) mod 2", j/^+i = gi{xi). Thus, in general a cryptoanalyst has to recover 
an initial state xq, a family of state transition functions {fj}, a family of output 
functions {gj}, and the order these state transition and output functions are used 
while producing the output sequence. 

Of course, an analysis in such a general form is senseless. On the one hand it is 
obvious that nothing can be recovered in case fi and gt are arbitrary mappings that 
satisfy conditions of 4.12, and no extra information is known to a cryptoanalyst. 
On the other hand, it is obvious that there exist degenerate cases that everything 
can be easily recovered even without extra information available. 

For instance, let to = 4fc — 1; put fi{x) = x + 1 if i e {0, 1, . . . , 7ti — 1} is odd, 
and put fi{x) = 1 © (x + 1) for even i e {0, 1, . . . , m — 1}. Let all gi = [|J mod 2" 
be truncations of the least significant bit. Note that this case satisfies conditions 
of 4.12; thus, the corresponding output sequence modulo 2" is purely periodic of 
period length 2"to, and each element of Z/2" occurs at the period exactly twice. 
Yet the structure of the output sequence is so specific (exact description of it could 
easily be obtained by a reader) that it is absolutely no problem to break such a 
scheme. 
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Thus, one can say nothing definite on how strong are generators considerd in 
the paper against even a single attack without considering a concrete scheme. We 
are not going to study concrete schemes in this paper, yet we demonstrate by a 
corresponding example that among the generators we study there exist ones that 
are provably strong against certain attacks, say, against a known plaintext attack. 

To describe such an example we have to make some preliminary assumptions. 
Choose (randomly and independently) k Boolean polynomials 

^*(Xo, • ■ ■ ,X«-i) (i = 0, 1, . . . 1) 

in n Boolean variables xo, ■ ■ ■ i Xn-i each, such that the number of non-zero mono- 
mials in each ^pi is a polynomial in n (fc could be fixed, or could be a polynomial 
in n either). Consider a mapping F: Z/2" Z/2'^ defined by 

F{XO, Xn-l) = Vo(XO, ■ • ■ , Xn-l) H h 1pk-l{X0, ■ ■ ■ , Xn-l)2''"\ 

where Xj = ^ ^ Z/2". We conjecture that this function F could be 

considered as one-way, that is, one could invert it (i.e., find an .F-preimagc in case 
it exists) only with negligible in n probability. Note that to find any i^-preimage, 
i.e. to solve an equation F(x) ~ y in unknown x one has to solve a system of k 
Boolean equations in n variables. However, to determine whether a given system 
of k Boolean polynomials in n variables have a common zero is an NP-complete 
problem, see e.g. [2(), Appendix A, Section A7.2, Problem ANT-9]. So, at our view, 
the conjecture that the function F is one-way is as plausible as the one concerning 
any other "candidate to one-wayness" (for the short list of the latter see e.g. [27]): 
Nobody today can solve a system of Boolean equations even if it is known that a 
solution exists (unless the system is of some special form). 

Proceeding with this plausible conjecture, to each Boolean polynomial ipi, i = 
0, 1, 2, . . . , fc — 1 we relate a mapping : Z2 ^ Z2 in the following way: ^'^(x) = 
ipi{do{x), . . . , Sn-i{x)) G {0, 1} C Z2. Now to each above mapping F we relate a 
mapping 

fpix) = (1 + x) © (2"+i*o(x) + T+Hi{x) + ■■■ + 2"+^*fc_i(a;)) 
of Z2 onto itself. 

By the way, despite it is not very important, note that this mapping is a com- 
position of bitwise logical and arithmetic operations: To a monomial Xri ■ • ■ Xr, 7 
where ri, . . . , rg € {0, 1, . . . , n — 1}, ri < . . . < we relate a binomial coefficient 
(2'-i+.^.+2'-s) ' then to a Boolean polynomial we relate a sum of corresponding bino- 
mial coefficients. For instance, to the Boolean polynomial ip = 1 + Xo + XoXi +X1X3 
we relate an integer valued polynomial 1 + a; + (3) + (-[^) . Since 

(^^,^^ ''^^^^,^^^Sr,{x)---5rM (mod 2) 

in view of Lucas' congruence®, 'i'j{x) = Pj{x) (mod 2), where Pj{x) is a polynomial 
over a field of rational integers Q that corresponds to the Boolean polynomial tpj 
in the above scncc. Thus, ^'j(a;) = Pj{x) and 1, and the result follows. 



®(J^) = (J^° ) ■ • ■ (J^= ) (mod p), where n = no -\ + Usp", m = mo + ■ ■ ■ + rusp" are basc-p 

expansions of, respectively, n and m; p prime. 



PSEUDORANDOM GENERATORS 



53 



Clearly, 

(l®So{x), ifj = 0; 
Sj{fF{x)) = lSjix)®6oix)---Sj_iix), ifO<j<n; 

{Sj{x) ®6o(x)--- Sj-i{x) Vj-ri-i(<5o(2;), ■ • • , <5n-i(x)), otherwise. 

In view of 3.13 the mapping /j? : Z2 ^ Z2 is compatible and ergodic for any choice 
of Boolean polynomials ipo, . . . , ipk-i- 

Consider a truncated congruential generator 

^ = (Z/2"+^•+^Z/2^/^^ mod 2"+>'+\ g , xo) , 

where g{x) = [2^^^] mod 2'^, a truncation of 71 + 1 low order bits of x. Since 
the state transition function is transitive and the output function is equiprobable, 
the output sequence of this generator is purely periodic with period length exactly 
2ri+fe+i^ and each element of Z/2'^ occurs at the period exactly 2"+^ times. 

Let xq S {0, 1, . . . , 2" — 1} be a key; in other words, the key length of a stream 
cipher is n, and we always take a key z G {0, 1, . . . , 2" — 1} as an initial state (a 
seed). Thus, senior fc + 1 bits of an initial state are always zero. The key z is the 
only information that is not known to a cryptanalyst. Everything else, i.e., n, fc, 
fp, and g are known, as well as the first m members of the output sequence {yi} 
of the automaton. 

Since do{x) ■ ■ ■ 6j-i{x) = 1 iff x = —1 (mod 2-'), the first m members of the 
output sequence with probability 1 — e (where e is negligible if m is a polynomial 
in n) arc: 

2/0 = "foiz) + 2^-1(2) + • • • + 2^-i*fc_i(z) = F{z); 



y,n-i = «'o(z + - 1) H h 2'' ^«'fe-i(z + m-l) = F{z + m-l). 

To find z a cryptanalist may solve any of the above equations; he could do it 
with negligible probability of success, since F is one-way. On the other hand, an 
assumption that a cryptanalist could find z with non-negligible probability means 
that he could invert F with non-negligible probability (see the first of the above 
equations). This contradicts our conjecture that F is one-way. Thus, the problem 
of key recovery of this scheme is intractable up to the conjecture that F is one-way. 

Note. This construction could be extended to counter-dependent generators in an 
obvious way. We also note that the restriction the state transition function of the 
above generator is 1 -|- x modulo 2"+^ is imposed only to make the idea of the 
construction more transparent: It is possible to construct a corresponding stream 
cipher, which is provably secure against a known plaintext attack, without this 
assumption. 
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